EIP-2026-105825

PRE-CVE

ChillyCMS - Blind SQL Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105825. PoCs published by IHTeam.

AI-analyzed exploit summary This Hybris script exploits a blind SQL injection vulnerability in ChillyCMS 1.1.2 by brute-forcing the admin username and password hash via time-based or boolean-based techniques. It iterates through characters and checks responses to reconstruct credentials.

Description

ChillyCMS - Blind SQL Injection

Exploits (1)

exploitdb WORKING POC

by IHTeam · perlwebappsphp

https://www.exploit-db.com/exploits/12643

View Code ZIP pw:eip

This Hybris script exploits a blind SQL injection vulnerability in ChillyCMS 1.1.2 by brute-forcing the admin username and password hash via time-based or boolean-based techniques. It iterates through characters and checks responses to reconstruct credentials.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ChillyCMS 1.1.2

No auth needed

Prerequisites: Network access to the target ChillyCMS instance · Blind SQLi vulnerability in the 'mod' parameter of show.site.php

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026