Normal users click on the buttons 'next' and 'previous', which are then placed in the variable $ offset is encoded in the URL. The script expects that the incoming $ offset is a decimal number. However, it is possible to change the URL by adding a new value, the URL format, like this :
PHP Code:
0;
INSERT INTO pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
SELECT 'crack', usesysid, 't','t','crack'
FROM pg_shadow WHERE usename='postgres';
--
If this happens, the script will create a new superuser. Note that the value 0 is used to complete the original query and to complete successfully.
Bookmarks