CVE-2012-5244

Banana Dance < b.2.6 - SQL Injection via Multiple Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-5244. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Banana Dance B.2.6, including PHP file inclusion, improper access control, and SQL injection. It provides proof-of-concept examples for each vulnerability, showcasing how arbitrary files can be included, sensitive database information can be accessed, and SQL queries can be manipulated.

Description

Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to functions/print.php; or (7) the name parameter to functions/ajax.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/23573

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Banana Dance B.2.6, including PHP file inclusion, improper access control, and SQL injection. It provides proof-of-concept examples for each vulnerability, showcasing how arbitrary files can be included, sensitive database information can be accessed, and SQL queries can be manipulated.

Classification

Working Poc 100%

Attack Type

Sqli | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Banana Dance B.2.6

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK