Gửi #422994: Tecno 4G Portable WiFi TR118 firmware version(TR118-M30E-RR-D- EnFrArSwHaPo-OP-V008-20220830) SQL Injectionthông tin

tiêu đềTecno 4G Portable WiFi TR118 firmware version(TR118-M30E-RR-D- EnFrArSwHaPo-OP-V008-20220830) SQL Injection
Mô tảA vulnerability was found in the /goform/goform_get_cmd_process endpoint of the SMS check functionality that allows an authenticated remote attacker to perform SQL injection via the order_by parameter. This vulnerability occurs when the application fails to properly sanitize user input, enabling an attacker to manipulate the SQL query executed by the backend. By crafting a malicious request, an attacker can inject arbitrary SQL code into the order_by parameter( /goform/goform_get_cmd_process?isTest=false&cmd=sms_data_total&page=0&data_per_page=599&mem_store=1&tags=10&order_by={query}&_=1728727312037), which can lead to unauthorized access to sensitive data, data manipulation, or even complete database compromise. Tools like SQLMap can be utilized to automate the exploitation of this vulnerability, allowing the attacker to extract information from the database.
Nguồn⚠️ https://asciinema.org/a/2mwkmDqRZfeAYTu5hHre1r4QB
Người dùng
 Allan Njuguna (UID 57480)
Đệ trình12/10/2024 22:06 (cách đây 2 những năm)
Kiểm duyệt19/10/2024 16:27 (7 days later)
Trạng tháiđược chấp nhận
Mục VulDB280969 [Tecno 4G Portable WiFi TR118 V008-20220830 SMS Check goform_get_cmd_process order_by Tiêm SQL]
điểm20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!