Web Ofisi Platinum E-Ticaret SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Web Ofisi Platinum E-Ticaret version 5. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Exploitation can be achieved by sending POST requests to the ajax/productsFilterSearch endpoint with malicious 'q' values, using time-based blind SQL injection techniques to extract sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries and potentially access or modify sensitive database information.

Reproduction

The vulnerability can be reproduced by sending a POST request to the ajax/productsFilterSearch endpoint. The 'q' parameter should be injected with a payload that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that, for example, uses SQL injection techniques to extract database information by causing a delay in the response.