CVE-2012-3791

Simple Web Content Management System 1.1 - SQL Injection via id or status Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3791. PoCs published by loneferret.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in Simple Web Content Management System versions 1.1 and 1.3. Multiple parameters across various pages are vulnerable due to lack of input sanitization, allowing unauthenticated and authenticated SQLi attacks.

Description

Multiple SQL injection vulnerabilities in Simple Web Content Management System 1.1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) item_delete.php, (2) item_status.php, (3) item_detail.php, (4) item_modify.php, or (5) item_position.php in admin/; or (6) status parameter to admin/item_status.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by loneferret · textwebappsphp

https://www.exploit-db.com/exploits/18955

View Code ZIP pw:eip

The exploit demonstrates SQL injection vulnerabilities in Simple Web Content Management System versions 1.1 and 1.3. Multiple parameters across various pages are vulnerable due to lack of input sanitization, allowing unauthenticated and authenticated SQLi attacks.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Simple Web Content Management System 1.1 & 1.3

No auth needed

Prerequisites: Access to vulnerable endpoints · Basic knowledge of SQL injection techniques

MITRE ATT&CK