[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WheatBlog 1.1 RFI/SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WheatBlog 1.1 RFI/SQL Injection
From: underwater@xxxxxxxxxxxx
Date: 30 Jun 2007 14:52:04 -0000

Found by E.Minaev (underwater@xxxxxxxxxxxx)
ITDefence.ru 

1) SQL Injection in login function. With help of this injection is possible to 
make per-symbol brute of tables names of blog's database (magic_quotes_gpc 
should be tured off).

------------------------------------------
"$sql = "select * from $tblUsers where login = '$login'";
if ( $login      != $row['login'] )     $valid_user = 0;
                if ( $password  != $row['password'] ) $valid_user = 0;"
------------------------------------------

2) Remote File Inclusion (RFI)
/includes/sessions.php?wb_class_dir=shell?

Prev by Date: Re: Re: Progress Webspeed exploit for all releases
Next by Date: akocomment SQL INJECTION (all version)
Previous by thread: Re: Re: Progress Webspeed exploit for all releases
Next by thread: akocomment SQL INJECTION (all version)
Index(es):
- Date
- Thread