Jettweb PHP Hazir Haber Sitesi SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Jettweb PHP Hazir Haber Sitesi Scripti Version 1. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'cid' parameter. Exploitation involves sending requests to 'haberarsiv.php' with malicious 'cid' values, using UNION-based injection to extract sensitive database information or modify database contents.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a POST request to 'haberarsiv.php' with the 'cid' parameter. Inject SQL payloads using UNION-based injection techniques. The vulnerability can also be reproduced by exploiting the 'gallery_id' parameter in 'gallery.php' or the 'option' parameter in 'uyelik.php' with similar SQL injection payloads.