The following exploit code will retrieve the administrative password of the Mambo product by exploiting an SQL injection vulnerability in the product.
* Mambo version 22.214.171.124 with MySQL version 4.x
Mambo 126.96.36.199 + mysql 4.1 > fetch password hash by pokleyzz
*content rating using sub query to select from mos_users
PHP 4.x with curl extension
The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.