header-logo
Suggest Exploit
vendor:
MyCustomers
by:
Persian Hack Team
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: MyCustomers
Affected Version From: 1.3
Affected Version To: 1.3
Patch Exists: NO
Related CWE: None
CPE: a:iran-php:mycustomers
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2015

MyCustomers Cms Sql Injection Vulnerability

MyCustomers CMS is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable parameter DPT. This can be done by appending a single quote character to the vulnerable parameter. For example, http://server/index.php?DPT=IP17%27. This can allow an attacker to gain access to the database and potentially execute arbitrary code.

Mitigation:

The vendor should patch the vulnerability by properly sanitizing user input.
Source

Exploit-DB raw data:

######################
# Exploit Title : MyCustomers Cms Sql Injection Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://www.iran-php.com/
# Google Dork : "Powered By IranPHP" & inurl:/index.php?DPT=IP17 & "Powered+by+MyCustomers-1.3.873"
# Date: 2015/11/28
# Version :  1.3
# 
######################
# Vulnerable Paramter DPT=
# Demo:
# http://server/index.php?DPT=IP17%27
#
# Youtube : https://www.youtube.com/watch?v=43DVOq5L2hw
#
# We reported to vendor but Anyone not responsive
# It's not joke
# We do not take responsibility
#
######################
# Discovered by : 
# Mojtaba MobhaM & T3NZOG4N (t3nz0g4n@yahoo.com)
######################

Navigation

Suggest Exploit

Services By CQR