CVE-2018-16659

CRITICAL

Rausoft ID.prove <2.95 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-16659. PoCs published by Ilya Timchenko.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Rausoft ID.prove 2.95 via the 'Username' parameter. The payload uses a stacked query with a time-based delay to confirm the vulnerability, and suggests potential privilege escalation via xp_cmdshell.

Description

An issue was discovered in Rausoft ID.prove 2.95. The login page allows SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation.

Exploits (1)

exploitdb WORKING POC

by Ilya Timchenko · textwebappswindows_x86-64

https://www.exploit-db.com/exploits/45500

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in Rausoft ID.prove 2.95 via the 'Username' parameter. The payload uses a stacked query with a time-based delay to confirm the vulnerability, and suggests potential privilege escalation via xp_cmdshell.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Rausoft ID.prove 2.95

No auth needed

Prerequisites: Access to the login page of the target application · Valid __RequestVerificationToken value

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45500/

Scores

CVSS v3 9.8

EPSS 0.0274

EPSS Percentile 84.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

rausoft/id.prove 2.95

Published Sep 28, 2018

Tracked Since Feb 18, 2026