SMM Panel SQL Injection Vulnerability Allowing Sensitive Data Exposure
Vulnerability
A SQL injection vulnerability has been identified in SMM Panel version 3.1. This vulnerability allows remote attackers to access sensitive information by sending a crafted HTTP request with the 'action' parameter set to 'service_detail'. The issue arises in the 'service_detail' parameter of the '/ajax_data' endpoint, where improper input handling enables SQL injection attacks.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive information or privileges escalation on the affected system.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/ajax_data' endpoint. The request must include the 'action' parameter set to 'service_detail' and the 'service' parameter containing a crafted SQL payload that exploits the application's SQL query handling. If the server response time exceeds five seconds, the vulnerability is present.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.