CVE-2024-33407
📋 TL;DR
This SQL injection vulnerability in campcodes Complete Web-Based School Management System 1.0 allows attackers to execute arbitrary SQL commands through the id parameter in the /model/delete_record.php endpoint. This affects all users running the vulnerable version of this school management software, potentially compromising school data and system integrity.
💻 Affected Systems
- campcodes Complete Web-Based School Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, or deletion; potential authentication bypass leading to full system control; data exfiltration of sensitive student and staff information.
Likely Case
Unauthorized data access and modification, potential privilege escalation, and data integrity compromise affecting school records and operations.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only affecting non-sensitive data tables.
🎯 Exploit Status
SQL injection via GET/POST parameter is straightforward to exploit; public proof-of-concept exists in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative software or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd parameterized queries and input validation to /model/delete_record.php
Modify delete_record.php to use prepared statements: $stmt = $conn->prepare('DELETE FROM table WHERE id = ?'); $stmt->bind_param('i', $_GET['id']);
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns
Add WAF rule: SecRule ARGS_GET:id "@rx (union|select|insert|update|delete|drop|--|#|\/\*|\*\/)" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"
🧯 If You Can't Patch
- Block external access to the vulnerable system using network segmentation and firewall rules
- Implement strict database permissions limiting application user to only necessary operations
🔍 How to Verify
Check if Vulnerable:
Test /model/delete_record.php?id=1' OR '1'='1 and observe if SQL error or unexpected behavior occursCheck Version:
Check application version in admin panel or readme filesVerify Fix Applied:
Test with same payload after fixes; should return proper error handling without SQL execution📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to /model/delete_record.php with SQL-like parameters
- Database query patterns from unexpected sources
Network Indicators:
- HTTP requests containing SQL keywords in id parameter
- Unusual traffic patterns to the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri_path="/model/delete_record.php" AND (query_string="*union*" OR query_string="*select*" OR query_string="*--*" OR query_string="*'*'*")🔗 References
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%206.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%206.pdf
