GlobalWebTek Design SQL Injection Vulnerability

vendor:

GlobalWebTek Design

by:

cyberlog

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: GlobalWebTek Design

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

GlobalWebTek Design SQL Injection Vulnerability

The vulnerability exists in the GlobalWebTek Design website, which allows an attacker to inject malicious SQL queries into the vulnerable web application. The vulnerable parameters are 'CAT' and 'famid' in the URLs 'productos.php?CAT=' and 'etalle_productos.php?famid='. An attacker can exploit this vulnerability to gain unauthorized access to the database and manipulate the data.

Mitigation:

The best way to mitigate this vulnerability is to use parameterized queries instead of dynamic SQL queries. This will ensure that the user input is treated as a string and not as a part of the SQL query. Additionally, input validation should be used to ensure that the user input is valid and does not contain any malicious code.

Source

Exploit-DB raw data:

               __                  __               
 .----..--.--.|  |--..-----..----.|  |.-----..-----.
 |  __||  |  ||  _  ||  -__||   _||  ||  _  ||  _  |
 |____||___  ||_____||_____||__|  |__||_____||___  |
       |_____|                               |_____|

####################################################
# GlobalWebTek Design SQL Injection Vulnerability
####################################################
# Vendor: http://www.globalwebtek.com/
# Discovered by : cyberlog
# Site          : Sekuritionline.net
# Channel       : #SekuritiOnline [ Now Just My Bot ] :P
# Dork          : "Site designed and built Powered by GlobalWebTek." 
		  inurl: productos.php?CAT=
		  inurl: etalle_productos.php?famid=
		  
# Exploit       : [site]/productos.php?CAT=[SQL Injection]
		  [site]/etalle_productos.php?famid= [SQL Injection]
		  

# Thanks        : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,
                  jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiLL,blindboy,sukam,
                  SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan Kabrutz,Mathews, aurel666, Dony Hikoru,
# special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a antisecurity [ pinjem script perl-na ] :), 
# Inj3ct0r Now Brothers with Sekuritionline
                
####################################################

# Demo: 
# http://localhost/productos.php?CAT=[sql]

####################################################

We never die !!!! indonesian Underground Community
!!!!! anjing buat oknum Pemerintah yang suka nilep uang rakyat !!!
!!!!! anjing juga buat admin site indon3sia yang merasa sok h3bat, dikasih tahu ada hole malah nyolot !!!!!

KacrUt I L0v3 U :P
Give me NOCAN Brothers :P
am nt hacker just Lik3 Syst3m S3curity



                __                  __  __    __                __  __               
 .-----..-----.|  |--..--.--..----.|__||  |_ |__|.-----..-----.|  ||__|.-----..-----.
 |__ --||  -__||    < |  |  ||   _||  ||   _||  ||  _  ||     ||  ||  ||     ||  -__|
 |_____||_____||__|__||_____||__|  |__||____||__||_____||__|__||__||__||__|__||_____|