ok so i tried "1=1" as the password for teh admin directory of a phpBB forum, didnt work, but when i tried "0" as the password, it worked! i got logged in. says i dont have permission to delete some stuff. i managed to delete many tables but there were still lots of stuff it said i had no permission to modify. i am in phpMyAdmin, logged in. what else can i do?

you should probably ask mx

see user title

well he's banned, right? and yeah i heard what happened.

that's odd are you saying by inputting '0' in the password field you were logged in?

yeah. it was weird. i guess it used the while(0) loop in the PHP...instead of the common while(1=1) for a perpetually true statement

i tried "1=1" as the password, said invalid password
i tried "0" it worked
tried random shit, didnt work
tried "0" again with no username and it worked...again.
so then i started deleting shit. deleted some stuff others says i cant (see op_

hahaha nice i might try this direct me to the admin area plz?

https://www.icradio.com/admin/

lol that's crazy

yeah finally deleted all the tables :D or do you still see them

i gotta search google for amateur phpbb forums haha

did you try 0 or 0=0

it sounds like if it was simply 0 it is just a coding bug

oh. well i did try just 0

0=0 doesnt work

edit: on this particular one

just weak pw or bad coding not sql injection at all.

just weak pw or bad coding not sql injection at all.

sql injection would be like
' or 1=1 basically changing the where clause from say


select top 1 uid from table where pwdhash = 'kjlafdsjkafskldasljf' to
select top 1 uid from table where pwdhash = 'kjlafdsjkafskldasljf' or 1=1

sql injection would be like basically changing the where clause from say

to

ok i see the difference now. thanks. so it was a cheap exploit cause of a glitch they must have set the forum/sql database up incorrectly