Description

A user with the permission to Add category can abuse this feature to execute his own SQL queries.

Proof of Concept

Static code analysis

The vulnerable php code is :

    public function checkIfCategoryExists(array $categoryData): int
    {
        $query = sprintf(
            "SELECT name from %sfaqcategories WHERE name = '%s' AND lang = '%s'",
            Database::getTablePrefix(),
            $categoryData['name'],
            $categoryData['lang']
        );

        $result = $this->config->getDb()->query($query);
        return $this->config->getDb()->numRows($result);
    }

The parameter name and lang are not escaped ! This leads to SQL injection.

False query

A false query will returns that "no category exists with this name", so it will create one as follows :

True query

A true query will returns that "the category already exists", so it will NOT create one :

The password hash for the user superadm is fdfff37a89b153..., so the first letter is f.

' OR 'f'=(SELECT SUBSTR(pass,1,1) FROM phpmyfaq_faquserlogin WHERE login='superadm') -- -

Impact

A user with the permission to add category can dump the whole database. It can use the data retrieved to get an administrator account. An attacker could also use mathematical functions to DDOS the SQL workers.