CVE-2008-0428

bloofoxCMS 0.3 - SQL Injection via Username or Password Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0428. PoCs published by BugReport.IR.

AI-analyzed exploit summary This writeup describes SQL injection and source code disclosure vulnerabilities in Bloofox CMS 0.3. The SQLi allows authentication bypass via crafted input, while the source disclosure enables arbitrary file reads via directory traversal.

Description

Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php.

Exploits (1)

exploitdb WRITEUP VERIFIED

by BugReport.IR · textwebappsphp

https://www.exploit-db.com/exploits/4945

View Code ZIP pw:eip

This writeup describes SQL injection and source code disclosure vulnerabilities in Bloofox CMS 0.3. The SQLi allows authentication bypass via crafted input, while the source disclosure enables arbitrary file reads via directory traversal.

Classification

Writeup 90%

Attack Type

Sqli | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Bloofox CMS 0.3

No auth needed

Prerequisites: Magic quotes disabled · Access to login page and file.php

MITRE ATT&CK