Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
png
README.MD

README.MD

WebERP SQL injection Vulnerability Description


Testing Target

Abstract

The SalesInquiry.php have SQL Injection vulnerability in SortBy parameter, here we can use the sleep function or other functions following the order by.

Concept

  1. First, we download the latest version from the official website and view the source code of /webERP/SalesInquiry.php.

  2. From the SalesInquiry.php source we discovered SortBy parameter has SQL injection vulnerability in line 222.

  3. OK, we quickly use webERP Demo Company to try SQL Injection problem.

  4. Choose Sales Order Detail Or Summary Inquiries feature.

  5. Please adjust the time to an earlier date to make sure you can find the information.

  6. Here we found a total of 9 data, please remember this number which a key point is.

  7. Repeat the above steps to adjust the time and use Burp Suite to Intercept the packet.

  8. In the SortBy parameter we insert sample SQL Injection payload.

  • Payload:and sleep(1)
  1. Very incredible things happen, if you set sleep 1 second, it will cause sec * total data number.
  • sleep(1) * 9 = 9 sec
  • sleep(2) * 9 = 18 sec