It appears that sites designed by e-Biz Technocrats Pvt.Ltd suffer from a remote SQL injection vulnerability. As they do not provide any sort of versioning with their offerings, the researcher was unable to provide affected versions. Versions as of May 11, 2023 were affected.
# Exploit Title: Sql Injection on one site credentials can be use on other sites
- Google Dork:" Designed and Developed by e-Biz Technocrats Pvt.Ltd "
- Date: 05/11/2023
- Exploit Author: K1LL3rB4LL
- Tested on: Mac, Windows, Linux
Description:
The vulnerability found is an SQL injection. You may run the site thru automated sql injection or manually doing sql injection once the credentials gathered you do your reverse ip to check your other website.
Vuln colum count: 5
Vuln colum : 3,4
Type of Sql : WAF
Username: admin
Password: 123456
admin panel: site.com/admin
Details: After gathering information from sql injection from site a site (site A) you may use the said credentials to access other websites on the same ip or with the same developer if you managed to get an access and upload a php script or backdoor. You may access other sites on their public_html or that is connected on their website which share the same server and if your going to look at the sites they share the same common developer. In some sites that don't have the same credentials you still do the same sql injection with the same colum count, vuln colum number and database where they store the admin credentials.
