CVE-2024-33403
📋 TL;DR
A SQL injection vulnerability in campcodes Complete Web-Based School Management System 1.0 allows attackers to execute arbitrary SQL commands via the event_id parameter in /model/get_events.php. This affects all users running the vulnerable version of this web application. Attackers can potentially access, modify, or delete database content.
💻 Affected Systems
- campcodes Complete Web-Based School Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution if database permissions allow.
Likely Case
Unauthorized data access, data manipulation, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions.
🎯 Exploit Status
SQL injection via GET parameter is trivial to exploit with common tools like sqlmap. Public proof-of-concept exists in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
1. Review the /model/get_events.php file
2. Replace direct parameter concatenation with prepared statements
3. Implement proper input validation for event_id parameter
4. Test the fix thoroughly
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block malicious requests.
Input Validation Filter
allAdd input validation to only accept numeric values for event_id parameter.
In PHP: if(!is_numeric($_GET['event_id'])) { die('Invalid input'); }
🧯 If You Can't Patch
- Block external access to the vulnerable system using network ACLs or firewall rules
- Implement strict database user permissions with least privilege principle
🔍 How to Verify
Check if Vulnerable:
Test /model/get_events.php?event_id=1' OR '1'='1 and check for SQL errors or unexpected behavior.Check Version:
Check application version in admin panel or configuration filesVerify Fix Applied:
Test with SQL injection payloads and verify they are rejected or properly handled without database errors.📡 Detection & Monitoring
Log Indicators:
- SQL syntax errors in web server logs
- Unusual database queries from web application user
- Multiple failed parameter validation attempts
Network Indicators:
- HTTP requests to /model/get_events.php with SQL keywords in parameters
- Unusual database port traffic from web server
SIEM Query:
source="web_logs" AND uri="/model/get_events.php" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*" OR param="*'*" OR param="*--*" OR param="*;*")🔗 References
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%2010.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%202.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%2010.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%202.pdf
