First (works on 1.6.0):

The vulnerability was discovered by Aung Khant that allows for exploitable SQL Injection attacks against a Joomla 1.6.0 install. This exploit attempts to leverage the SQL Injection to extract admin credentials, and then store those credentials within the notes_db. The vulnerability is due to a validation issue in /components/com_content/models/category.php that erroneously uses the “string” type whenever filtering the user supplied input. This issue was fixed by performing a whitelist check of the user supplied order data against the allowed order types, and also escaping the input.

And second (works on 1.6.X):

This module can be used to gain a remote shell to a Joomla! 1.6.* install when administrator credentials are known. This is acheived by uploading a malicious component which is used to execute the selected payload.

source: First and Second

Educational purpose only.