Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-Bins/webERP SQLI-1/
CVE-Bins/webERP SQLI-1/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
png
 
 
 
 

WebERP SQL injection Vulnerability Description


Testing Target

Abstract

The SalesInquiry.php have SQL Injection vulnerability in SortBy parameter, here we can use the sleep function or other functions following the order by.

Concept

  1. First, we download the latest version from the official website and view the source code of /webERP/SalesInquiry.php.

  2. From the SalesInquiry.php source we discovered SortBy parameter has SQL injection vulnerability in line 222.

  3. OK, we quickly use webERP Demo Company to try SQL Injection problem.

  4. Choose Sales Order Detail Or Summary Inquiries feature.

  5. Please adjust the time to an earlier date to make sure you can find the information.

  6. Here we found a total of 9 data, please remember this number which a key point is.

  7. Repeat the above steps to adjust the time and use Burp Suite to Intercept the packet.

  8. In the SortBy parameter we insert sample SQL Injection payload.

  • Payload:and sleep(1)
  1. Very incredible things happen, if you set sleep 1 second, it will cause sec * total data number.
  • sleep(1) * 9 = 9 sec
  • sleep(2) * 9 = 18 sec