Web Ofisi Emlak SQL Injection Vulnerability

Multiple SQL injection vulnerabilities have been identified in Web Ofisi Emlak V2. These vulnerabilities allow unauthenticated attackers to manipulate database queries through various GET parameters, including emlak_durumu, emlak_tipi, il, ilce, kelime, and semt. Exploitation of these vulnerabilities could lead to the extraction of sensitive database information or the execution of time-based blind SQL injection attacks.

Impact

Exploitation of these vulnerabilities allows for SQL injection, where attackers can manipulate database queries to extract or modify data. The vulnerabilities also allow for time-based blind SQL injection, where attackers can infer information based on the time taken to respond to certain queries.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'emlak-ara.html' endpoint with crafted payloads that exploit the SQL injection vulnerability in the specified parameters. For example, injecting SQL code into the 'emlak_durumu' parameter can bypass input validation and manipulate the underlying SQL query, potentially leading to unauthorized data access or modification.