This Metasploit module exploits multiple vulnerabilities in openSIS 7.4 and prior versions which could be abused by unauthenticated attackers to execute arbitrary PHP code with the permissions of the webserver. The exploit chain abuses an incorrect access control issue which allows access to scripts which should require the user to be authenticated, and a local file inclusion to reach a SQL injection vulnerability which results in execution of arbitrary PHP code due to an unsafe use of the eval() function.
942c0ce311ce709dd7c1790955789b1f88040cee422935d166bdf0e150147703
openSIS versions 7.4 and below suffer from multiple remote SQL injection vulnerabilities.
400d9b74c5924b238ccb88c1968e13b4640183baf55f44521ab902c275f4c1d9