Description:
I download Rukovoditel-3.2.1 from https://www.rukovoditel.net/download.php
The SQL Injection vulnerability can be exploited by injecting inside the field order_by parameter to generate error and get the query output.
PoC:
Login account
Go to 'rukovoditel/index.php?module=logs/view&type=php'
Apply search query
Insert SQLi payload and I get presented with an error message dumping the output of SQL query
Screenshot:
Request and response:
Retrieve the Database Tables:
The text was updated successfully, but these errors were encountered:
Description:
I download Rukovoditel-3.2.1 from https://www.rukovoditel.net/download.php
The SQL Injection vulnerability can be exploited by injecting inside the field order_by parameter to generate error and get the query output.
PoC:
Screenshot:

Request and response:

Retrieve the Database Tables:


The text was updated successfully, but these errors were encountered: