Gửi #495548: Pihome PiHomeHVAC 2.0 SQL Injectionthông tin

tiêu đềPihome PiHomeHVAC 2.0 SQL Injection
Mô tảIn the PiHomeHVAC v 2.0 - there is a SQLi in the ajax.php controller. The web application is vulnerable to SQL Injection attacks within ajax modal functionality. Attackers can exploit this vulnerability by injecting malicious input into the "Ajax" parameter, which is used to edit values in the `sensors` table. A prerequisite is that a record exists in this table To exploit the SQL injection vulnerability, attackers craft a payload containing malicious input and inject it into the "Ajax" parameter. For example, submitting the payload `(sleep(20))--` triggers 20 seconds delay in the request. This demonstrates the successful execution of the injection within the application.
Nguồn⚠️ https://www.singto.io/pocsforexploits/pihomehva_sqli_ajax.md
Người dùng Jelle Janssens (UID 81048)
Đệ trình05/02/2025 19:30 (cách đây 1 Năm)
Kiểm duyệt10/02/2025 12:09 (5 days later)
Trạng tháiđược chấp nhận
Mục VulDB295089 [pihome-shc PiHome 2.0 ajax.php?Ajax=GetModal_Sensor_Graph Tiêm SQL]
điểm20

Do you want to use VulDB in your project?

Use the official API to access entries easily!