vendor:
Under Construction Page with CPanel
by:
Mayur Parmar(th3cyb3rc0p)
9.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Under Construction Page with CPanel
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: No
Related CWE: N/A
CPE: a:egavilanmedia:under_construction_page_with_cpanel
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: PopOS
2020
Under Construction Page with CPanel 1.0 – SQL injection
SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. An attacker can gain admin panel access using malicious sql injection queries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/Under%20Construction/admin/login.php 2. Now put below Payload in both the fields( User ID & Password) Payload: admin' or '1'='1 3. Server accepted our payload and we bypassed cpanel without any credentials.
Mitigation:
Use parameterized queries, Use stored procedures, Use input validation, Use an ORM, Use a web application firewall
