http://www.securiteam.com/exploits/5BP0F2KG0G.htmlThe following exploit code will retrieve the administrative password of the Mambo product by exploiting an SQL injection vulnerability in the product.
Details
Vulnerable Systems:
* Mambo version 4.5.2.1 with MySQL version 4.x
Exploit:
Mambo 4.5.2.1 + mysql 4.1 > fetch password hash by pokleyzz
*content rating using sub query to select from mos_users
Requirement:
PHP 4.x with curl extension
Description:
The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.
Thanks,
Conor