CVE-2008-1496

PEEL - SQL Injection via Email Parameter or Timestamp Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-1496. PoCs published by Charles Fol.

AI-analyzed exploit summary This exploit targets multiple vulnerabilities in PEEL CMS, including SQL injection, blind SQL injection, and authentication bypass to extract admin hashes and upload a malicious file. It demonstrates a multi-stage attack chain to achieve remote code execution.

Description

Multiple SQL injection vulnerabilities in PEEL, possibly 3.x and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to (a) membre.php, and the (2) timestamp parameter to (b) the details action in achat/historique_commandes.php and (c) the facture action in factures/facture_html.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Charles Fol · phpwebappsphp

https://www.exploit-db.com/exploits/5281

View Code ZIP pw:eip

This exploit targets multiple vulnerabilities in PEEL CMS, including SQL injection, blind SQL injection, and authentication bypass to extract admin hashes and upload a malicious file. It demonstrates a multi-stage attack chain to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: PEEL CMS (various versions including PREMIUM, POWERSELL, INTEGRALE, PROFESSIONNELLE)

No auth needed

Prerequisites: Access to the target PEEL CMS installation · Network connectivity to the target

MITRE ATT&CK