Vulnerability Overview Vulnerability Name: Gibbon v30.0.00: Authenticated SQL Injection and RCE Vulnerability Types: SQL Injection, Local File Inclusion (LFI), Denial of Service (DoS) Discoverer: Nikolai Makaroff Publication Date: May 17, 2023 Scope Affected Software: Gibbon School Management System Affected Versions: v30.0.00 Exploitation Prerequisites: Requires Teacher role or higher privileges Remediation Fixed Version: v30.0.01 Vulnerability Details SQL Injection Description: The SQL injection vulnerability arises due to SQL query string concatenation and interpolation. Vulnerable Code: Exploitation: - Injects SQL code via the parameter in POST requests. - Example Payload: Local File Inclusion (LFI) Description: Arbitrary file inclusion via the path leads to Remote Code Execution (RCE). Vulnerable Code: Exploitation: - Achieves file inclusion by uploading a ZIP file and modifying the path. - Example Exploitation Path: Proof of Concept (PoC) Code SQL Injection PoC: LFI PoC: - Upload a ZIP file and modify the path to . Summary Gibbon v30.0.00 contains SQL Injection and Local File Inclusion vulnerabilities. Attackers can leverage these flaws to achieve Remote Code Execution. It is recommended to upgrade to version v30.0.01 to mitigate these issues.