SourceCodester Automatic Question Paper Generator System GET Parameter manage_question_paper.php sql injection

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Automatic Question Paper Generator System version 1.0. The flaw resides in the file users/question_papers/manage_question_paper.php, where the GET parameter id is not sanitized before being used in database queries. This allows an attacker to inject arbitrary SQL commands. The vulnerability is confirmed in version 1.0 and may affect other versions [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack involves sending a crafted HTTP GET request to the vulnerable endpoint with a malicious id parameter. For example, the payload id=1' and 999=999 and 'o'='o causes the application to execute the injected SQL statement, while id=1' and 999=996 and 'o'='p causes the query to fail, enabling boolean-based blind SQL injection. Additionally, a time-based payload id=1' and (select 9 from (select(sleep(15)))b) and 't'='t can be used to confirm injection by causing a delay [1].

Impact

Successful exploitation allows an attacker to retrieve, modify, or delete data from the database, potentially leading to information disclosure of sensitive data (e.g., user credentials, question papers). The attacker can also perform administrative operations depending on database privileges. The impact is high for confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2023-03-17), no official fix has been released by the vendor. Users should implement input validation and parameterized queries to prevent SQL injection. Until a patch is available, it is recommended to restrict access to the vulnerable page or upgrade to a newer version if released [1].