# PoC for CVE-2022-24707

SQL Injection Vulnerability on Puncher plugin. A POST request can be crafted to exploit SQL Injection and leak database contents. This is tested on [Anuko Time Tracker](

python3 --help                                                               
usage: [-h] --username USERNAME --password PASSWORD --host HOST [--sqli SQLI]

optional arguments:
  -h, --help           show this help message and exit
  --username USERNAME  Anuko Timetracker username
  --password PASSWORD  Anuko Timetracker password
  --host HOST          e.g.,,
  --sqli SQLI          SQL query to run. Defaults to getting all tables

![cve gif](./CVE-2022-24707.gif)