Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 16:08:45 +0700
From: "Steevee a.k.a Stefanus" <>
Subject: Joomla com_blog_calendar SQL Injection Vulnerability

Joomla com_blog_calendar SQL Injection Vulnerability

: # Exploit Title : Joomla com_blog_calendar SQL Injection Vulnerability
: # Date : 26th December 2016
: # Author : X-Cisadane
: # CMS Name : Joomla
: # CMS Developer :
: # Category : Web Application
: # Vulnerability : SQL Injection
: # Tested On : SQLMap
: # Greetz to : X-Code YogyaFree, ExploreCrew, CodeNesia, Bogor Hackers
Community, Borneo Crew, Depok Cyber, Mantan

A SQL Injection Vulnerability has been discovered in the Joomla Module
called com_blog_calendar.
The Vulnerability is located in the
index.php?option=com_blog_calendar&modid=xxx Parameter.
Attackers are able to execute own SQL commands by usage of a GET Method
Request with manipulated modid Value.
Attackers are able to read Database information by execution of own SQL

DORKS (How to find the target) :
Or use your own Google Dorks :)

Proof of Concept

SQL Injection
PoC :

Screenshot (PoC) :

Example of Vuln Sites :['SQLi]['SQLi]['SQLi]['SQLi]['SQLi]
... etc ...

-= Regards =-
 Steevee A.K.A

Content of type "text/html" skipped

View attachment "poc.txt" of type "text/plain" (2100 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.