CVE-2006-2499

CodeAvalanche News 1.2 - SQL Injection via Password Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-2499. PoCs published by omnipresent.

AI-analyzed exploit summary This exploit demonstrates an SQL injection vulnerability in CodeAvalanche News 1.2, allowing an attacker to bypass authentication by injecting a malicious SQL query into the password parameter. The provided URL manipulates the query to always return true, granting unauthorized access.

Description

SQL injection vulnerability in default.asp in CodeAvalanche News (CANews) 1.2 allows remote attackers to execute arbitrary SQL commands via the password field.

Exploits (1)

exploitdb WORKING POC VERIFIED

by omnipresent · textwebappsasp

https://www.exploit-db.com/exploits/27898

View Code ZIP pw:eip

This exploit demonstrates an SQL injection vulnerability in CodeAvalanche News 1.2, allowing an attacker to bypass authentication by injecting a malicious SQL query into the password parameter. The provided URL manipulates the query to always return true, granting unauthorized access.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: CodeAvalanche News 1.2

No auth needed

Prerequisites: Access to the target application's login page

MITRE ATT&CK