| Title | cxbsoft Post-Office ≤v1.0 SQL Injection |
|---|
| Description | The identified vulnerability resides within the /admin/pages/update_go.php file of the Post-Office software, where the version parameter is concatenated directly into a SQL query without proper sanitization. This oversight allows an attacker to craft malicious SQL statements, such as time-based blind SQL injection, by sending a specially crafted HTTP POST request, as demonstrated by the payload that induces a deliberate delay in the database response, confirming the presence of the SQL injection vulnerability. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/grOgvdMgn0wg |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 01/05/2024 04:56 (2 years ago) |
|---|
| Moderation | 01/14/2024 17:38 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 250698 [CXBSoft Post-Office 1.0 HTTP POST Request update_go.php Version sql injection] |
|---|
| Points | 20 |
|---|