openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.
Because of lacking of sanitizer of input data, attacker can injection malicious sql into query by control parameters such as ADDR_CONT_USRN, ADDR_CONT_PSWD or SECN_CONT_USRN, SECN_CONT_PSWD in file HoldAddressFields.php.
Description:
Because of lacking of sanitizer of input data, attacker can injection malicious sql into query by control parameters such as
ADDR_CONT_USRN
,ADDR_CONT_PSWD
orSECN_CONT_USRN
,SECN_CONT_PSWD
in fileHoldAddressFields.php
.Request
Response
PoC: