Advanced Comment System 1.0 - SQL Injection

ID: 100233
Download vulnerable application: None
# Exploit Title: SQL injection in Advanced comment system v1.0
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage:
# Software Link:, rel="nofollow" href="" target="_blank">
# Version: Advanced comment system v1.0
# Tested on: All
# CVE : CVE-2018-18619
# Category: webapps

1. Description

PHP page internal/advanced_comment_system/admin.php in Advanced Comment
System 1.0 is prone to an SQL injection vulnerability because it fails to
sufficiently sanitize user-supplied data before using it in an SQL query,
allowing remote attackers to execute the sqli attack via a URL in the
"page" parameter.
The product is discontinued.

2. Proof of Concept


3. Solution:

The product is discontinued.
1-4-2 (www01)