cbcvebase.
CVE-2013-1349
published 2013-12-09

CVE-2013-1349: Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
23.32%
97.5th percentile
Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.

Affected

9 ranges
VendorProductVersion rangeFixed in
os4edopensis
os4edopensis
os4edopensis
os4edopensis
os4edopensis
os4edopensis
os4edopensis
os4edopensis
os4edopensis

Detection & IOCsextracted from sources · hover to see the quote

path/opensis/ajax.php
pathajax.php
commandmodname=<junk>?<junk>=<junk>';system(base64_decode('<b64_payload>'));//
  • Monitor POST requests to ajax.php containing a 'modname' parameter with a '?' character, which is the trigger condition for the eval() code path.
  • Detect the exploit payload pattern in the modname parameter: presence of single-quote, semicolon, PHP function names (system/exec/shell_exec/passthru), and base64_decode() in a single POST body value.
  • Flag POST requests to ajax.php where the modname parameter contains PHP execution functions: exec, shell_exec, passthru, or system combined with base64_decode.
  • The exploit requires prior authentication; correlate suspicious ajax.php POST requests with a preceding successful login POST to index.php with USERNAME and PASSWORD parameters.
  • The Metasploit module sets a randomly generated PHPSESSID cookie; however, the response body containing 'hacking_log' (case-insensitive) is used to confirm successful payload delivery and can be used as a detection string.
  • ·Exploitation requires valid credentials for an OpenSIS account; unauthenticated exploitation is not possible with this vector.
  • ·The default Metasploit TARGETURI is '/opensis/'; installations at non-default paths will require adjusted detection rules.
  • ·Affected versions are 4.5 through 5.2 only; verify the installed OpenSIS version before applying detection rules to avoid false positives on patched instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.