💻
crackcat @ studying
  • 🏠Home
  • 📑Infographics
  • 🛠️How Stuff Works
    • Buffer Overflow - Explained
    • Embedded Firmware Extraction
  • Proxmox+Packer+Terraform+Ansible
  • 📒TryHackMe Write-Ups
    • 📵Mr. Robot
    • 🔗Binex
    • *️CMesS
    • 🏛️Olympus
    • 🧑‍💻UltraTech
    • 🧠Brainpan
  • ⚙️CVE
    • CVE-2019-17571 RCE PoC
    • CVE-2022-45962 Postauth SQLI
  • 🏴CTF Challenges
    • BugBase - RaaS
  • 🏢AllEndEvent
    • Introduction
    • Chapter I
    • Chapter II
    • Chapter III
Powered by GitBook
On this page
  • OpenSIS
  • Vulnerability Analysis
  • Proof of Concept
  • Impact
  • Remediation

Was this helpful?

  1. CVE

CVE-2022-45962 Postauth SQLI

Authenticated SQL Injection in openSIS classic prior to 9.0.

PreviousCVE-2019-17571 RCE PoCNextBugBase - RaaS

Last updated 2 years ago

Was this helpful?

OpenSIS

openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.

Maintained by , openSIS is advertised as an open source Student Information System and comes in two versions: Community and Pro. The source code is available on GitHub .

Vulnerability Analysis

During a code review of the application I noticed the following lines in :

$_REQUEST['event_id'] = mysqli_real_escape_string($connection,optional_param('event_id', '', PARAM_DATA));
if (($_REQUEST['event_id'] || !isset($_REQUEST['event_id'])) && !isset($_REQUEST[assignment_id])) {
    // ...
} else {
    $RET = DBGet(DBQuery('SELECT TITLE,STAFF_ID,DATE_FORMAT(DUE_DATE,\'%d-%b-%y\') AS SCHOOL_DATE,ASSIGNED_DATE,DUE_DATE,DESCRIPTION FROM gradebook_assignments WHERE ASSIGNMENT_ID=\'' . $_REQUEST[assignment_id] . '\''));
    //...
}

As we can see in the first line, openSIS developers sanitized the event_id paramater in order to prevent SQL injection in the first if branch. However, should this parameter be empty, there's another one being used to build a different query in the else branch.

The query can be reduced to this format:

DBGet(DBQuery('SELECT TITLE,... 
    FROM gradebook_assignments 
    WHERE ASSIGNMENT_ID=\'' . $_REQUEST[assignment_id] . '\'
    '));

Apparently, the request parameter assignment_id is concatenated to the condition of a SELECT statement used to retrieve some information from the database.

Since this site is accessible only by authenticated users, an adversary would need a valid set of credentials. Beware that this also includes any student account.

Proof of Concept

Knowing the injectable query, we can craft a specific payload for exploitation:

' // end the condition
UNION SELECT // use union based SQLI to insert arbitrary values in the response
"SQLI CONFIRMED", // our extraction point (read from the database here)
"","","","","" // empty strings for the remaining columns
-- - // commenting out the rest of the query

Impact

Successful exploitation may lead to a full database information disclosure. The database contains PII of both students and teachers as well as grades, settings and the passwords of all users.

Remediation

$_REQUEST['assignment_id'] = sqlSecurityFilter($_REQUEST['assignment_id']);

The parameter is now passed to a filter that includes mysqli_real_escape_string before being used in the query. Although best practices would dictate the use of parameterized queries, the injection should now no longer be possible.

Self assigned CVSS score: with a base score of 6.5.

After contacting the vendor, the vulnerability was soon acknowledged and has now been addressed in the latest release. The fix can be found in this commit: .

⚙️
OS4ED
here
CalendarModal.php
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
81799fd
Sending PoC exploit query with BurpSuite