IMP XForm 2.0 DatalifeEngine SQL Injection

2018.04.13
Credit: Hesam Bazvand
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: IMP XForm v2.0 DatalifeEngine Module SQL Injection # Exploit Author: Hesam Bazvand # Software Link: http://www.datalifeengine.ir/download/1396/IMP.XForm.v2.0.zip # Tested on: Windows 10 / Kali Linux # Category: WebApps # Dork : inurl:xform/1.html OR inurl:xform/2.html and etc... # Email : Black.king066@gmail.com Exploit : Insert '"1 In Email Form and Enjoy It :D Request : https://i.imgur.com/6MjOoYF.jpg Response : https://i.imgur.com/Pbsr5iq.jpg POC Targets : http://payamclub.ir/xform/1.html http://p-it.ir/xform/1.html http://www.dlestore.ir/xform/2.html http://www.muslimstudents.ir/xform/2.html http://bandarabadan10000.ir/xform/1.html http://www.ghaem125.ir/xform/1.html

References:

http://payamclub.ir/xform/1.html
http://p-it.ir/xform/1.html
http://www.dlestore.ir/xform/2.html
http://www.muslimstudents.ir/xform/2.html
http://bandarabadan10000.ir/xform/1.html
http://www.ghaem125.ir/xform/1.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top