CVE-2015-2679

genixcms < 0.0.1 - SQL Injection via Page or Username Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2679. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates unauthenticated SQL injection and persistent XSS vulnerabilities in GeniXCMS v0.0.1. It includes payloads for extracting admin credentials, reading files, and executing arbitrary JavaScript via stored and reflected XSS.

Description

Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/36321

View Code ZIP pw:eip

This exploit demonstrates unauthenticated SQL injection and persistent XSS vulnerabilities in GeniXCMS v0.0.1. It includes payloads for extracting admin credentials, reading files, and executing arbitrary JavaScript via stored and reflected XSS.

Classification

Working Poc 100%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: GeniXCMS v0.0.1

No auth needed

Prerequisites: Target running GeniXCMS v0.0.1 · Network access to the target

MITRE ATT&CK