"Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response."
-nvd.nist.gov
Gibbon is a flexible open source school management platform.
Exploiting this vulnerability is much easier than you think, manipulating the "q" parameter you can query a local file and that's it.
The juiciest file you can find, is gibbon.sql which contains all the tables and data necessary for the operation of the software.
[*] gibbon.png
Looking for vulnerable targets
No long speeches, the icon hash is-165631681 vulnerable versions are before the 25.0.00 (included), you may want to except newest versions.
You can search it on Shodan or similar services, like Hunter, FOFA or Zoomeye.
[*] fofa_results.png
Here is an hunter query that search the same thing.