sacco-1.0-Multiple-SQLi

sacco-1.0-Multiple-SQLi
sacco-1.0系统中username参数存在SQL注入漏洞。测试显示提交单引号引发数据库错误，双引号使错误消失。使用'sleep(20)'payload导致响应延迟20秒，确认为高危-严重漏洞。 2025-9-21 17:27:42 Author: cxsecurity.com(查看原文) 阅读量:4 收藏

# Titles: sacco-1.0-Multiple-SQLi # sacco_shield-1.0-msf-sqlmap-nu11secur1ty-BurpSuite-EXPLOIT! # Author: nu11secur1ty # Date: 09/20/2025 # Vendor: https://www.mayurik.com/ # Software: https://www.sourcecodester.com/php/15372/open-source-sacco-management-system-free-download.html # Reference: https://portswigger.net/web-security/sql-injection ## Description: The username parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the username parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. Additionally, the payload '+(select*from(select(sleep(20)))a)+' was submitted in the username parameter. The application took 20023 milliseconds to respond to the request, compared with 19 milliseconds for the original request, indicating that the injected SQL command caused a time delay. STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: [href](https://nu11secur1ty.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/metasploit-framework-nu11secur1ty/tree/main/modules/auxiliary/MSF/sacco) # Reproduce: [href](https://www.patreon.com/posts/sacco-shield-1-0-139316124) # Time spent: 35:15:00 WARNING: IF YOU USE THIS FOR AN UNAUTHORIZED ATTACK, YOU WILL BE RESPONSIBLE IN FRONT OF THE LAW!!! THIS IS A COUPLE OF DAYS' SECURITY RESEARCHING. PLEASE RESPECT THE WORK OF THE HACKERS - INCLUDING MY WORK, THE INTERNET WOULD NOT EXIST WITHOUT US! 😎 more: https://github.com/nu11secur1ty/metasploit-framework-nu11secur1ty more: https://github.com/nu11secur1ty/sqlmap-nu11secur1ty -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

文章来源: https://cxsecurity.com/issue/WLB-2025090009
如有侵权请联系:admin#unsafe.sh

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.