CVE-2018-6605

CRITICAL EXPLOITED IN THE WILD NUCLEI

Zh BaiduMap 3.0.0.1 - SQL Injection via id Parameter

Title source: llm

Exploitation Summary

CVE-2018-6605 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Ihsan Sencan. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional SQL injection PoC for Joomla! Component Zh BaiduMap 3.0.0.1, demonstrating multiple injection points in the controller.php file. The exploit uses UNION-based SQLi to extract table names from the INFORMATION_SCHEMA database.

Description

SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.

Exploits (1)

exploitdb WORKING POC

by Ihsan Sencan · textwebappsphp

https://www.exploit-db.com/exploits/43974

View Code ZIP pw:eip

This is a functional SQL injection PoC for Joomla! Component Zh BaiduMap 3.0.0.1, demonstrating multiple injection points in the controller.php file. The exploit uses UNION-based SQLi to extract table names from the INFORMATION_SCHEMA database.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Joomla! Component Zh BaiduMap 3.0.0.1

No auth needed

Prerequisites: Access to the vulnerable Joomla component endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection

CRITICALby DhiyaneshDk

FOFA: app="Joomla!-网站安装" || app="joomla!-网站安装"

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43974/

Scores

CVSS v3 9.8

EPSS 0.5832

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-89

Status published

Products (1)

zh_baidumap_project/zh_baidumap 3.0.0.1

Published Feb 05, 2018

Tracked Since Feb 18, 2026