Ocomon 2.0: Acess administrative Bypass / Multiple Sql Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>Ocomon 2.0: Acess administrative Bypass / Multiple Sql Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>~ J0nshu4w ~ xDetails: ======================================== [Software] - Ocomon [Bug Summary] - Multiple SQL Injection (SQLi) [Impact] - High [Affected Version] - Latest 2.0RC6 - Prior versions may also be affected ========================================= x01- Search by dork in google Dorks: inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6 x02 - After, To find the victim, open the inspect element in admin page. x03 - Look for the parameter: <body>: <table>: <tbody>: <tr>, and return valida() and delete the content, leaving blank. x04 - After, Sign in using: "admin'or'" For Username and Password. x05 - Finish!, You get acess in administrative page to the system. -------------------------------------------- xDEMO: http://200.66.111.38/ocomon/index.php http://191.241.229.210:8080/ocomon/index.php http://191.241.229.210:8081/ocomon/index.php --------------------------------------------- </BODY></HTML>