CVE-2009-3430

Allomani Mobile 2.5 - SQL Injection via Login Username Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3430. PoCs published by Qabandi.

AI-analyzed exploit summary This PHP script exploits a blind SQL injection vulnerability in Allomani Mobile v2.5 by brute-forcing the admin username and password character-by-character. It uses time-based techniques to infer data from the database.

Description

SQL injection vulnerability in login.php in Allomani Mobile 2.5 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Qabandi · phpwebappsphp

https://www.exploit-db.com/exploits/9273

View Code ZIP pw:eip

This PHP script exploits a blind SQL injection vulnerability in Allomani Mobile v2.5 by brute-forcing the admin username and password character-by-character. It uses time-based techniques to infer data from the database.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Allomani Mobile v2.5

No auth needed

Prerequisites: Target must be running Allomani Mobile v2.5 · Blind SQL injection vulnerability must be present in login.php

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/52012

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/9273

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/2029

Scores

EPSS 0.0100

EPSS Percentile 58.2%

Details

CWE

CWE-89

Status published

Products (1)

allomani/mobile 2.5

Published Sep 25, 2009

Tracked Since Feb 18, 2026