A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
Steps to reproduce:
- Login as "Teacher" and navigate to "Attendance" then "Take Attendance". Capture the request on a web proxy such as BurpSuite
Or just navigate to the URL:
http://demo.opensis.com/Ajax.php?modn...
Vulnerable parameter: cp_id_miss_attn
SQLi payload: r AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq)
URL with the payload: http://demo.opensis.com/Ajax.php?modn... AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq) &cpv_id_miss_attn=23&ajax=true
- The page should load depends on the sleep
You can use manual queries to dump database information or use sqlmap.
PoC: https://youtu.be/GGHiPvdPRas
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.
Steps to reprocude:
-
Login as "teacher"
-
In the 'cp_id_miss_att' parameter, insert the payload:
cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5
- The URL link with the payload should look like below.
- Open it on the browser and the XSS should trigger
PoC: https://youtu.be/WSNN7HBLO04
The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file.
-
Login as "Parent"
-
Open a web proxy such as BurpSuite and capture the requests
-
Check the response