| Title | Smsot Smsot ≤2.12 SQL Injection |
|---|
| Description | The SMSOT application (version ≤2.12) hosted at https://fours.smsot.com/ is found to have a significant SQL Injection vulnerability in its /api.php file. The 'data[sign]' parameter is directly concatenated into the SQL query without proper sanitization or parameterization, leading to potential manipulation of the underlying SQL command. This is further exacerbated by the fact that the 'auth_key' is a fixed and known value ("158544IS8jZBLWtg"). The vulnerability was demonstrated through a crafted POST request, which induced a delay in the server response, confirming the existence of a SQL injection point. This vulnerability, if exploited, could allow an attacker to manipulate the application's database, leading to potential data exposure, data loss, or unauthorized access. Immediate remediation is advised. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/3GznRo9vWRJ8 |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 01/18/2024 10:28 (2 years ago) |
|---|
| Moderation | 01/19/2024 12:25 (1 day later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 251556 [Smsot up to 2.12 HTTP POST Request /api.php data[sign] sql injection] |
|---|
| Points | 20 |
|---|