CVE-2012-4772

Subrion CMS < 2.2.3 - SQL Injection via Register Plan ID Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4772.

AI-analyzed exploit summary The provided exploit code demonstrates multiple vulnerabilities in Subrion CMS 2.2.1, including SQL Injection (CVE-2012-4772), Cross-Site Scripting (CVE-2012-4771), and Cross-Site Request Forgery (CVE-2012-4773). The SQL Injection PoC shows how arbitrary SQL code can be injected via the 'plan_id' parameter to create a PHP shell, while the XSS and CSRF PoCs illustrate how arbitrary script code can be executed and administrative actions can be performed without proper validation.

Description

SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 allows remote attackers to execute arbitrary SQL commands via the plan_id parameter.

Exploits (1)

exploitdb WORKING POC

webappsphp

https://www.exploit-db.com/exploits/22159

View Code ZIP pw:eip

The provided exploit code demonstrates multiple vulnerabilities in Subrion CMS 2.2.1, including SQL Injection (CVE-2012-4772), Cross-Site Scripting (CVE-2012-4771), and Cross-Site Request Forgery (CVE-2012-4773). The SQL Injection PoC shows how arbitrary SQL code can be injected via the 'plan_id' parameter to create a PHP shell, while the XSS and CSRF PoCs illustrate how arbitrary script code can be executed and administrative actions can be performed without proper validation.

Classification

Working Poc 100%

Attack Type

Sqli | Xss | Csrf

Complexity

Trivial

Reliability

Reliable

Target: Subrion CMS 2.2.1

No auth needed

Prerequisites: Access to the target application · CAPTCHA bypass for SQLi PoC

MITRE ATT&CK