Takas Classified 1.1 - SQL injection vulnerability

2017-02-27T00:00:00
ID SSV:92720
Type seebug
Reporter Z3r0yu
Modified 2017-02-27T00:00:00

Description

controllers/Classified_ads. php file subcatid and catid, the locid, the areaid, type, and post parameter into the SQL statement cause the SQL injection to produce

SQL injection points:

http://localhost/[PATH]/index. php/classified_ads/ads/?& subcatid=[SQL]

http://localhost/[PATH]/index. php/classified_ads/ads/?& locid=[SQL]

http://localhost/[PATH]/index. php/classified_ads/ads/?& catid=[SQL]

http://localhost/[PATH]/index. php/classified_ads/ads/?& areaid=[SQL]

http://localhost/[PATH]/index. php/classified_ads/ads/?& type=[SQL]

http://localhost/[PATH]/index. php/classified_ads/ads/?& post=[SQL]