Advanced Comment System 1.0 - SQL Injection

Type exploitpack
Reporter Rafael Pedrero
Modified 2018-11-14T00:00:00


Advanced Comment System 1.0 - SQL Injection

                                            # Exploit Title: SQL injection in Advanced comment system v1.0
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage:
# Software Link:,
# Version: Advanced comment system v1.0
# Tested on: All
# CVE : CVE-2018-18619
# Category: webapps

1. Description

PHP page internal/advanced_comment_system/admin.php in Advanced Comment
System 1.0 is prone to an SQL injection vulnerability because it fails to
sufficiently sanitize user-supplied data before using it in an SQL query,
allowing remote attackers to execute the sqli attack via a URL in the
"page" parameter.
The product is discontinued.

2. Proof of Concept


3. Solution:

The product is discontinued.