cbcvebase.
CVE-2024-45622
published 2024-09-02

CVE-2024-45622: ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.05%
98.3th percentile
ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.

Detection & IOCsextracted from sources · hover to see the quote

url/asispanel/
url/asispanel/login/cek
url/asispanel/home
commandusername=%27+or+0%3D0+%23%23&password={{pass}}&submit=&submit=
  • Probe for the ASIS login panel by checking for the string 'ASIS | Aplikasi Sistem Sekolah' in the HTTP response body of GET /asispanel/
  • Exploitation attempt is a POST to /asispanel/login/cek with Content-Type application/x-www-form-urlencoded containing the SQL injection payload in the username field (' or 0=0 ##)
  • Use the Google dork to identify exposed ASIS instances: "ASIS | Aplikasi Sistem Sekolah"
  • ·The vulnerability affects ASIS versions 3.0.0 through 3.2.0 only; versions beyond 3.2.0 are not confirmed vulnerable.
  • ·The exploit requires three sequential HTTP requests: first confirming the panel exists (HTTP 200 with fingerprint string), then sending the SQLi payload (expecting HTTP 303), then verifying access to /asispanel/home (HTTP 200 with 'Logout').
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.