Online Quiz Maker SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Online Quiz Maker version 1.0. This vulnerability exists in the 'catid' and 'usern' parameters, allowing authenticated attackers to execute arbitrary SQL commands. Exploitation involves sending crafted SQL payloads via POST requests to 'quiz-system.php' or 'add-category.php'. This vulnerability could be used to extract sensitive database information or bypass authentication.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, which could lead to unauthorized data access or manipulation. Additionally, this vulnerability could be used to bypass authentication, as noted in the VulnCheck advisory.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to 'quiz-system.php' with the 'catid' parameter. The request can include a crafted SQL payload that exploits the application's SQL query handling. Alternatively, the 'usern' parameter can be targeted by sending a POST request to 'add-category.php' with a SQL injection payload that manipulates the authentication process.