mathurvishal CloudClassroom SQL Injection Vulnerability in Post Query Component

A SQL injection vulnerability has been identified in the CloudClassroom PHP Project, specifically in version 1.0 prior to commit 5dadec098bfbbf3300d60c3494db3fb95b66e7be. The issue resides in the Post Query Details Page, within the file postquerypublic.php. The vulnerability is triggered by manipulating the gnamex parameter in a POST request, allowing attackers to inject arbitrary SQL commands. This exploitation can be performed remotely, without any authentication requirements.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to the extraction of sensitive information such as user credentials and exam results. Additionally, attackers could enumerate databases, tables, and columns, and compromise the entire application along with its underlying database.

Reproduction

To reproduce this vulnerability, access the Post Query form at the endpoint postquerypublic.php. Intercept the request using a tool like Burp Suite, or manually craft a POST request. Include the gnamex parameter with a payload that exploits the SQL injection vulnerability, such as one that uses the updatexml() function to extract database information. After sending the request, the response will reveal the injected data, confirming the successful exploitation of the vulnerability.

Remediation

It is recommended to implement prepared statements in PHP using mysqli or PDO to securely handle user input and prevent SQL injection. Additionally, input validation and escaping should be applied, and the principle of least privilege should be followed for the database user.