CVE-2022-45962 Postauth SQLI
Authenticated SQL Injection in openSIS classic prior to 9.0.
openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.
$_REQUEST['event_id'] = mysqli_real_escape_string($connection,optional_param('event_id', '', PARAM_DATA));
if (($_REQUEST['event_id'] || !isset($_REQUEST['event_id'])) && !isset($_REQUEST[assignment_id])) {
// ...
} else {
$RET = DBGet(DBQuery('SELECT TITLE,STAFF_ID,DATE_FORMAT(DUE_DATE,\'%d-%b-%y\') AS SCHOOL_DATE,ASSIGNED_DATE,DUE_DATE,DESCRIPTION FROM gradebook_assignments WHERE ASSIGNMENT_ID=\'' . $_REQUEST[assignment_id] . '\''));
//...
}
As we can see in the first line, openSIS developers sanitized the
event_id
paramater in order to prevent SQL injection in the first if
branch. However, should this parameter be empty, there's another one being used to build a different query in the else
branch.The query can be reduced to this format:
DBGet(DBQuery('SELECT TITLE,...
FROM gradebook_assignments
WHERE ASSIGNMENT_ID=\'' . $_REQUEST[assignment_id] . '\'
'));
Apparently, the request parameter
assignment_id
is concatenated to the condition of a SELECT
statement used to retrieve some information from the database.Since this site is accessible only by authenticated users, an adversary would need a valid set of credentials. Beware that this also includes any student account.
Knowing the injectable query, we can craft a specific payload for exploitation:
' // end the condition
UNION SELECT // use union based SQLI to insert arbitrary values in the response
"SQLI CONFIRMED", // our extraction point (read from the database here)
"","","","","" // empty strings for the remaining columns
-- - // commenting out the rest of the query

Sending PoC exploit query with BurpSuite
Successful exploitation may lead to a full database information disclosure. The database contains PII of both students and teachers as well as grades, settings and the passwords of all users.
After contacting the vendor, the vulnerability was soon acknowledged and has now been addressed in the latest release. The fix can be found in this commit: 81799fd.
$_REQUEST['assignment_id'] = sqlSecurityFilter($_REQUEST['assignment_id']);
The parameter is now passed to a filter that includes
mysqli_real_escape_string
before being used in the query. Although best practices would dictate the use of parameterized queries, the injection should now no longer be possible.
Last modified 7mo ago