Web Ofisi Firma SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Web Ofisi Firma version 13. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. Attackers can exploit this issue by sending GET requests to category pages with malicious 'oz[]' values, using time-based blind SQL injection payloads to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to a category page with the 'oz[]' parameter. Inject a SQL payload that exploits time-based blind SQL injection, such as one that causes a delay in the response. This can be used to extract information from the database by observing the response times.