cbcvebase.
CVE-2024-46626
published 2024-10-02

CVE-2024-46626: OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.86%
53.8th percentile
OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.

Affected

1 ranges
VendorProductVersion rangeFixed in
os4edopensis

Detection & IOCsextracted from sources · hover to see the quote

url/Ajax.php?modname=x
command127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG
command127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze
command127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae
path/Ajax.php
  • Monitor HTTP requests to /Ajax.php for a malicious X-Forwarded-For header containing SQL injection patterns (e.g., EXTRACTVALUE, GTID_SUBSET, SLEEP) — the injection point is the custom X-Forwarded-For header, not a URL/body parameter.
  • Detect boolean-based blind SQLi attempts via X-Forwarded-For using MySQL EXTRACTVALUE function with CASE WHEN constructs.
  • Detect error-based SQLi attempts via X-Forwarded-For using MySQL GTID_SUBSET with CONCAT and hex-encoded marker strings (0x717a787671, 0x71716b6b71).
  • Detect time-based blind SQLi attempts via X-Forwarded-For using MySQL SLEEP() function wrapped in a subquery.
  • Use the Google Dork 'intext:"openSIS is a product"' to identify exposed openSIS instances that may be vulnerable.
  • ·Exploitation requires authentication — this is an authenticated SQLi vulnerability, so unauthenticated requests to /Ajax.php will not trigger the vulnerable code path.
  • ·The injection is delivered via the X-Forwarded-For HTTP header, meaning standard WAF/IDS rules inspecting only URL parameters or POST body may miss this attack vector entirely.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.