CVE-2024-33408
📋 TL;DR
A SQL injection vulnerability in campcodes Complete Web-Based School Management System 1.0 allows attackers to execute arbitrary SQL commands via the id parameter in /model/get_classroom.php. This affects all deployments of version 1.0, potentially enabling data theft, modification, or system compromise.
💻 Affected Systems
- campcodes Complete Web-Based School Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise leading to data exfiltration, authentication bypass, remote code execution, and complete system takeover.
Likely Case
Unauthorized data access and modification, including student records, grades, and administrative data.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.
🎯 Exploit Status
Simple SQL injection via GET parameter. Public proof-of-concept available in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None found
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or implement workarounds.
🔧 Temporary Workarounds
Input Validation and Parameterized Queries
allModify /model/get_classroom.php to use prepared statements and validate id parameter
Replace vulnerable code with: $stmt = $conn->prepare('SELECT * FROM classrooms WHERE id = ?'); $stmt->bind_param('i', $_GET['id']); $stmt->execute();
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block SQL injection patterns
ModSecurity rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
🧯 If You Can't Patch
- Implement network segmentation to isolate the system from sensitive networks
- Deploy database monitoring to detect unusual SQL queries and access patterns
🔍 How to Verify
Check if Vulnerable:
Test /model/get_classroom.php?id=1' OR '1'='1 and observe if SQL error or unexpected data returnedCheck Version:
Check application version in admin panel or readme filesVerify Fix Applied:
Test with same payload after fix - should return error page or no data without SQL errors📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to /model/get_classroom.php with SQL-like parameters
Network Indicators:
- HTTP requests containing SQL keywords (UNION, SELECT, etc.) in id parameter
SIEM Query:
source="web_logs" AND uri="/model/get_classroom.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR '1'='1*")🔗 References
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%207.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%209.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%207.pdf
- https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%209.pdf
