CVE-2024-46626
published 2024-10-02CVE-2024-46626: OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.86%
53.8th percentile
OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| os4ed | opensis | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG↗
command127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze↗
- →Monitor HTTP requests to /Ajax.php for a malicious X-Forwarded-For header containing SQL injection patterns (e.g., EXTRACTVALUE, GTID_SUBSET, SLEEP) — the injection point is the custom X-Forwarded-For header, not a URL/body parameter. ↗
- →Detect boolean-based blind SQLi attempts via X-Forwarded-For using MySQL EXTRACTVALUE function with CASE WHEN constructs. ↗
- →Detect error-based SQLi attempts via X-Forwarded-For using MySQL GTID_SUBSET with CONCAT and hex-encoded marker strings (0x717a787671, 0x71716b6b71). ↗
- →Detect time-based blind SQLi attempts via X-Forwarded-For using MySQL SLEEP() function wrapped in a subquery. ↗
- →Use the Google Dork 'intext:"openSIS is a product"' to identify exposed openSIS instances that may be vulnerable. ↗
- ·Exploitation requires authentication — this is an authenticated SQLi vulnerability, so unauthenticated requests to /Ajax.php will not trigger the vulnerable code path. ↗
- ·The injection is delivered via the X-Forwarded-For HTTP header, meaning standard WAF/IDS rules inspecting only URL parameters or POST body may miss this attack vector entirely. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-10-02
Published