Tradebox SQL Injection Vulnerability in Monthly Deposit Endpoint
Vulnerability
A SQL injection vulnerability has been identified in Tradebox version 5.4. This vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code through the 'symbol' parameter. Exploitation can be achieved by sending POST requests to the 'monthly_deposit' endpoint with crafted symbol values. Attackers can use various SQL injection techniques, including boolean-based blind, time-based blind, error-based, and union-based injection, to extract sensitive information from the database.
Impact
Exploitation of this vulnerability allows for unauthorized database access and information retrieval, potentially including sensitive user data or application information.
Reproduction
To reproduce this vulnerability, log in as an authenticated user and send a POST request to the 'monthly_deposit' endpoint. Include the 'symbol' parameter with a crafted SQL injection payload. Various injection techniques can be used, such as boolean-based blind injection, time-based blind injection, error-based injection, or union-based injection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.