CVE-2007-4156

woliocms - SQL Injection via Member ID or Admin Login Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-4156. PoCs published by k1tk4t.

AI-analyzed exploit summary This exploit demonstrates SQL injection and administrator login bypass in wolioCMS by manipulating the 'id' parameter in member.php and the login form in admin/index.php. It requires 'magic_quotes_gpc' to be off.

Description

Multiple SQL injection vulnerabilities in wolioCMS allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to member.php in a page action, related to a SELECT statement in common.php; and the (2) loginid parameter (uid variable), and possibly the (3) pwd parameter, to admin/index.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by k1tk4t · textwebappsphp

https://www.exploit-db.com/exploits/4246

View Code ZIP pw:eip

This exploit demonstrates SQL injection and administrator login bypass in wolioCMS by manipulating the 'id' parameter in member.php and the login form in admin/index.php. It requires 'magic_quotes_gpc' to be off.

Classification

Working Poc 90%

Attack Type

Sqli | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: wolioCMS

No auth needed

Prerequisites: magic_quotes_gpc = off

MITRE ATT&CK