WebOfisi E-Ticaret SQL Injection Vulnerability

A SQL injection vulnerability has been identified in WebOfisi E-Ticaret version 4.0. The issue resides in the 'urun' GET parameter of the 'arama.html' endpoint. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL payloads. Exploitation can lead to boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the 'arama.html' endpoint with the 'urun' parameter. Inject SQL payloads into the 'urun' parameter to exploit the vulnerability. The injection can be tailored to perform boolean-based blind, error-based, time-based blind, or stacked query attacks, depending on the payload used.