Advertisement






iCT Sky SQL Injection

CVE Category Price Severity
CVE-2021-39269 CWE-89 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2024-02-11
CVSS
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024020046

Below is a copy:

iCT Sky SQL Injection
# Exploit Title : iCT Sky SQL Injection
# Google Dork : intext:"IT Partner iCT Sky"
# Discovered By : MrHoudini
# Contact Me : [email protected]
# Date : 11-02-2024
# Vendor : https://ictsky.com/

[!] Description:
SQL injection attacks usually targets database and all of them are the results of programming errors. If programmer couldn't checked the inputs correctly, so the attacker can send his/her commands to database. If programmer do this errors at admin page input and the inputs haven't been checked correctly, occur a very bad thing that allow attacker login to administrator panel with combination the passwords that turn the result to True in php. Request Method : [+] POST Vulnerable Module: [+] Login Vulnerable Parameter: [+](username) and (Password)
==================================================
[!] Bug.........:
<?php require_once('any.php'); if($_POST['submit']) { $user=$_POST['user']; $pswd=$_POST['pswd']; $result=mysql_query("select * from login where user='$user' and pswd='$pswd'"); $rowcount=mysql_num_rows($result); if($rowcount>0) { header('Location:any.php'); } else { echo "bad user"; } } ?>
==================================================
[!] SQL Injection :
Demo : https://www.faizaeltd.com/shop/category.php?id=3

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.