## https://sploitus.com/exploit?id=89CCE360-7C57-56A1-A97A-E68CA2174704
# CVE-2023-6654
**PHPEMS Cookie Deserialization Vulnerability**: This vulnerability allows for modifying SQL statements through deserialization. It enables SQL injection attacks, potentially allowing access to user passwords or permissions. The default admin account is `peadmin`.
## Fofa Finger
# app="PHPEMS"
## Tool Usage
`python exp.py -u http://127.0.0.1:1111`
- The `-u` parameter specifies the URL address of PHPEMS.
- The `-a` parameter specifies the username; the default is the default admin account `peadmin`.
- The `-p` parameter specifies the password to be modified; the default is `123456`.
- The `-o` parameter specifies the option: 0 to modify the password of the specified account; 1 to modify the permissions of the specified account as admin. It is recommended to use option 1.
**Example Execution:**

## Disclaimer
Any direct or indirect consequences or losses resulting from the dissemination or use of the information provided in this document are the responsibility of the user. The author assumes no responsibility for such incidents.