SQL Injection in akshayp282/quizx
May 19th 2021
Course deletion on the teacher portal is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely erase, export or change all information in the database - potentially rendering the entire platform unusable.
🕵️♂️ Proof of Concept
- Log in to the teacher portal
- Navigate to Courses - Delete a course
- When prompted for the course name, enter an injection string such as
test' OR 1=1;-- -
- Confirm. Refresh the page and you will notice that all the courses have been deleted.
Account takeover, complete deletion of data, unauthorized changes and application lockout are possible due to this bug.
Use prepared statements with proper exception handling on the back-end to prevent injection attacks. Additionally, you could write basic checks on the front-end to prevent requests from going through, however this is trivially bypassed.