Homey BNB SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Homey BNB version 4. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries and potentially access or modify sensitive database information.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'admin/edit.php' endpoint with an injected SQL payload in the 'id' parameter. This can be done using a tool like Burp Suite or through a simple script that automates the injection process. The injected payload can be crafted to exploit the time-based SQL injection vulnerability, such as by using 'SLEEP' commands to test for successful injection.