TITLE: Loca Software - Sql Injection/Admin Panel Bypass # Exploit Author: Onur Kara (root9ext) # Service Provider: LocaSoftware # Vulnerable URL: /cms/ # Dork: intext:"bu web sitesi LOCA YAZILIM BİLİŞİM TEK. LTD. ŞTİ." # Vulnerability Type: SQL Bypass # Severity: Critical Vulnerability Description: A critical SQL injection vulnerability has been identified in the admin panel login functionality of Local Software's CMS, specifically within the /cms/ directory. The vulnerability allows an attacker to bypass authentication controls by injecting arbitrary SQL queries, resulting in unauthorized access to the admin panel. Proof of Concept (PoC): URLs: - http://izmirsunnetmerkezi.com/cms/ - https://www.ozkankirtasiye.com.tr/cms/ - https://locapp.net/cms/ 1. Visit the admin login page, typically located at: https://locapp.net/cms/ 2. Input the following payload in the username and password fields: ' or 1=1 -- ' or 1=1 -- 3. Submit the form. 4. Observe that the admin panel is accessible without redirection, indicating successful authentication bypass. # Disclaimer: This PoC is for educational purposes only. Unauthorized access to systems or applications is illegal. Contact Telegram: @rootninext