The following exploit code will retrieve the administrative password of the Mambo product by exploiting an SQL injection vulnerability in the product.
* Mambo version 220.127.116.11 with MySQL version 4.x
Mambo 18.104.22.168 + mysql 4.1 > fetch password hash by pokleyzz
*content rating using sub query to select from mos_users
PHP 4.x with curl extension
The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.