Jettweb PHP Hazir Rent A Car Sitesi SQL Injection Vulnerability

An SQL injection vulnerability has been identified in Jettweb PHP Hazir Rent A Car Sitesi Scripti V2. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'arac_kategori_id' parameter. Exploitation involves sending POST requests to the 'fiyat-goster.html' endpoint with malicious SQL payloads, which can be used to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to the 'fiyat-goster.html' endpoint with the 'arac_kategori_id' parameter. Include a crafted SQL payload that exploits the application's SQL query handling. The injected SQL code can be designed to, for example, bypass authentication or extract database information.