# Exploit Title: Datenator 0.3.0 (event.php id) SQL Injection
# Date: 26.12.09
# Author: The_HuliGun
 
# Look on code in event.php:
  
22: if(isset($_GET['id']))
23: {
24:     $event = $datenator->read_event_info($_GET['id']);
 
# Function read_event_info() is in file includes/functions.php
 
412: function read_event_info($event_id)
413:    {
414:        $sql = "SELECT * FROM
415:        ".$this->getConfig('db_tableprefix')."events,
416:        ".$this->getConfig('db_tableprefix')."events_repeat
417:        WHERE
418:        ".$this->getConfig('db_tableprefix')."events.event_id = ".$this->prepare_sql($event_id)." and 
419:        ".$this->getConfig('db_tableprefix')."events_repeat.repeat_event_id = ".$this->prepare_sql($event_id)."";
420:
421:        $event_data=$this->db->Execute($sql);
422:
423:        if($event_data) {
424:            return $event_data;
                        ...
 
# As you can see variable id is not filtered, so, we can use such exploit with any php settings:
 
http://[targethost]/[path]/event.php?id=[SQL]
 
# Bug discovered by The_HuliGun
 
# Greetz to: NaTka, hope you'll find yourself ;>
 
# See u soon!