WheatBlog 1.1 RFI/SQL Injection

2007-06-3000:00:00

vulners.com

JSON

Found by E.Minaev ([email protected])
ITDefence.ru

1) SQL Injection in login function. With help of this injection is possible to make per-symbol brute of tables names of
blog's database (magic_quotes_gpc should be tured off).

"$sql = "select * from $tblUsers where login = '$login'";
if ( $login != $row['login'] ) $valid_user = 0;
if ( $password != $row['password'] ) $valid_user = 0;"

2) Remote File Inclusion (RFI)
/includes/sessions.php?wb_class_dir=shell?

JSON

WheatBlog 1.1 RFI/SQL Injection

"$sql = "select * from $tblUsers where login = '$login'"; if ( $login != $row['login'] ) $valid_user = 0; if ( $password != $row['password'] ) $valid_user = 0;"

"$sql = "select * from $tblUsers where login = '$login'";
if ( $login != $row['login'] ) $valid_user = 0;
if ( $password != $row['password'] ) $valid_user = 0;"