Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12239
HistoryApr 15, 2006 - 12:00 a.m.

Serendipity Blog vuln

2006-04-1500:00:00
vulners.com
21
JSON

I found this while auditing serendipty blog. You need a blog account (
which isnt that big of deal just google all the sites that give out free
blogs ) for this to work. After you get hte blog account you go into
your admin panel where there will be config options. The mysql details
are editable from this form. Since these details are what connects to
the database they cant be stored in it. For this reason
they are stored in a config .php file.
They way this is done isthrough unfiltered fwrites() to the file so for
example my "tableprefix" was tgo_ and the code in the config file looked
liked:
CODEWHATEVER_THE_VAR_WAS='tgo_';
Soas we can see here we have some room for fun. MY poc on my
friendsserver was to make my table prefix ( there cant be any spaces )
CODEtgo_';phpinfo();echo'hi
Which makes the file look like:
CODE
WHATEVER_THE_VAR_WAS='tgo';phpinfo();echo'hi';
As expected my blog got defaced with the servers phpinfo(). Other fun
things would be like
CODE
tgo';system
Thefile this gets wrote to gets included on every page for YOUR blog
sofor instace my blog is blogs.site.com/tgo then this file will
beincluded in all those allowing me to put ?cmd= on all of them

vuln by moep , moep2mail[at]mail[dot]ru

JSON