This exploit demonstrates a SQL injection vulnerability in CiuisCRM 1.6 via the 'eventType' parameter in a POST request to the calendar/addevent endpoint. The payload uses a time-based blind SQLi technique to extract data from the database.
Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target:CiuisCRM v1.6
No auth needed
Prerequisites:Access to the target application's calendar/addevent endpoint