Jettweb Rent A Car SQL Injection Vulnerability

Multiple SQL injection vulnerabilities have been identified in Jettweb Rent A Car Script version 4, specifically within the admin panel. These vulnerabilities allow unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. The affected endpoint is admin/index.php, and the vulnerable parameters include 'tur', 'id', and 'ozellikdil'. Exploitation of these vulnerabilities could lead to unauthorized access to sensitive database information or cause a denial-of-service condition.

Impact

Exploitation of these SQL injection vulnerabilities could allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, or causing a denial-of-service condition by disrupting normal application operations.

Reproduction

The SQL injection vulnerabilities can be reproduced by sending crafted GET requests to the admin/index.php endpoint with injected SQL payloads in the vulnerable parameters. For example, injecting a SQL payload that exploits the application's query handling can extract database information or cause delays by using time-based SQL injection techniques.