Shain L.’s Post

I discovered and submitted a nice easy CVE a few weeks back (CVE-2021-43329). I did notify the vendor who has patched legitimate future versions. There’s a remote unauthenticated SQL injection in license_update.php (located on the web root) on all versions =< 2.93. It’s an error based blind sqli which you can do manually, but if you’re feeling lazy just feed the request to sqlmap. Here’s a link to the vuln in case anyone receives an invitation to test the software, or for some odd reason it comes up in a penetration test:

Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)

Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)

Anthony Jones

Offensive Security Specialist (Red Team/Purple Team) at Wesfarmers Group | OSCP | CRTO | CISSP | ISO 27001 LA & LI |

3y

Nice work mate!

Like
Reply
Jacob L.

Threat Researcher | Offensive Security Lead | Speaker | Podcast Host

3y

Cool finding!

Like
Reply
See more comments

To view or add a comment, sign in

Explore topics