WebERP SQL injection Vulnerability Description
- Author: YU-HSIANG HUANG, YUNG-HAO TSENG, Eddie TC CHANG
- Contact: huang.yuhsiang.phone@gmail.com; 0xuhaw@gmail.com; eddietcchang@gmail.com
Testing Target
- Product: webERP 4.15
- Last updated: 2018/05/21
- Official Website: http://www.weberp.org/
- Github: https://github.com/webERP-team/webERP
Abstract
The SalesInquiry.php have SQL Injection vulnerability in SortBy parameter, here we can use the sleep function or other functions following the order by.
Concept
-
First, we download the latest version from the official website and view the source code of /webERP/
SalesInquiry.php.
-
From the
SalesInquiry.phpsource we discoveredSortByparameter has SQL injection vulnerability in line 222.
-
OK, we quickly use webERP Demo Company to try SQL Injection problem.

-
Please adjust the time to an earlier date to make sure you can find the information.

-
Here we found a total of 9 data, please remember this number which a key point is.

-
Repeat the above steps to adjust the time and use Burp Suite to Intercept the packet.

-
In the
SortByparameter we insert sample SQL Injection payload.
- Very incredible things happen, if you set sleep 1 second, it will cause
sec*total data number.



