CVE-2009-2439

Web Development House Alibaba Clone - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-2439. PoCs published by 599eme Man, spykit.

AI-analyzed exploit summary This exploit demonstrates SQL injection and blind SQL injection vulnerabilities in Alibaba-clone CMS. It provides proof-of-concept URLs to extract database information such as version, user, and database name.

Description

Multiple SQL injection vulnerabilities in Web Development House Alibaba Clone allow remote attackers to execute arbitrary SQL commands via the (1) IndustryID parameter to category.php and the (2) SellerID parameter to supplier/view_contact_details.php. NOTE: this is a product that was developed by a third party; it is not associated with alibaba.com or the Alibaba Group.

Exploits (2)

exploitdb WORKING POC VERIFIED

by 599eme Man · textwebappsphp

https://www.exploit-db.com/exploits/9211

View Code ZIP pw:eip

This exploit demonstrates SQL injection and blind SQL injection vulnerabilities in Alibaba-clone CMS. It provides proof-of-concept URLs to extract database information such as version, user, and database name.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Alibaba-clone CMS

No auth needed

Prerequisites: Access to the vulnerable web application

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by spykit · textwebappsphp

https://www.exploit-db.com/exploits/12333

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in CmS version 5.0, specifically targeting the 'IndustryID' parameter in the 'category.php' file. The PoC uses a UNION-based SQL injection to extract sensitive information such as admin credentials and email details.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: CmS version 5.0

No auth needed

Prerequisites: Access to the vulnerable 'category.php' endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1838

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35741

Exploit x_refsource_misc

http://packetstormsecurity.org/0907-exploits/alibabaclone-sql.txt

Scores

EPSS 0.0100

EPSS Percentile 58.3%

Details

CWE

CWE-89

Status published

Products (1)

web_development_house/alibaba_clone

Published Jul 13, 2009

Tracked Since Feb 18, 2026