Unauthorized SQL injection vulnerability exists in Access OA
version:v2017
Routing: general/hr/recruit/filter/delete PHP
The injected parameter $FILTER_ID exists
Here the code is very concise, when the $FILTER_ID is not empty, the parameter is concatenated directly into the SQL statement, which is bypassed because the parentheses are closed.
POC
