CVE-2009-1626

EZ-Blog - SQL Injection via Category Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1626. PoCs published by YEnH4ckEr.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in EZ-blog Beta2, allowing an attacker to upload a malicious shell via a crafted POST request. The PoC includes both a proof of concept for SQLi and a full exploit for shell upload.

Description

SQL injection vulnerability in public/specific.php in EZ-Blog before Beta 2 20090427, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the category parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by YEnH4ckEr · textwebappsphp

https://www.exploit-db.com/exploits/8547

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in EZ-blog Beta2, allowing an attacker to upload a malicious shell via a crafted POST request. The PoC includes both a proof of concept for SQLi and a full exploit for shell upload.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: EZ-blog Beta2

No auth needed

Prerequisites: magic_quotes_gpc=off · access to the target web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product x_refsource_confirm

http://sourceforge.net/project/shownotes.php?release_id=678562&group_id=243152

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8547

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/34729

Scores

EPSS 0.0113

EPSS Percentile 62.1%

Details

CWE

CWE-89

Status published

Products (2)

will_kraft/ez-blog

will_kraft/ez-blog < -

Published May 12, 2009

Tracked Since Feb 18, 2026