Web Ofisi Platinum E-Ticaret SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Web Ofisi Platinum E-Ticaret version 5. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. Exploitation of this vulnerability can lead to the extraction of sensitive database information using time-based SQL injection techniques.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, enabling attackers to manipulate database queries and potentially access sensitive information from the database.

Reproduction

The vulnerability can be reproduced by sending a request to the 'arama' endpoint with a crafted 'q' parameter that includes SQL injection payloads. This can be done using time-based SQL injection techniques, such as injecting a payload that exploits SQL query timing mechanisms to extract database information. The vulnerability also exists in POST requests to the 'ajax/productsFilterSearch' endpoint, where the 'q' parameter can be similarly exploited.