Joomla! Estate Agent组件SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121040 漏洞类型 SQL注入
发布时间 2012-04-10 更新时间 2012-04-10
CVE编号 CVE-2011-4571 CNNVD-ID CNNVD-201111-493
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/18728
https://www.securityfocus.com/bid/50024
https://cxsecurity.com/issue/WLB-2011100039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201111-493
|漏洞详情
Joomla!是美国OpenSourceMatters团队的一套使用PHP和MySQL开发的开源、跨平台的内容管理系统(CMS)。Joomla!的EstateAgent(com_estateagent)组件中存在SQL注入漏洞。远程攻击者可借助id参数执行任意SQL命令。
|漏洞EXP
##################################################
# Exploit Title: joomla component (com_estateagent) SQL injection Vulnerability
# Date: 10/04/2012
# Author: xDarkSton3x
# E-mail : xdarkston3x@msn.com
# Category:: webapps
# Google dork: inurl:"com_estateagent"
# Tested on: linux + windows
# Vendor link: http://www.eaimproved.eu/index.php
##################################################

[~]Exploit/p0c :
http://site.com/index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli]

Greetz [ Rs4 - B4nz0k - FailRoot - FailSoft - W4rn1ng] - [ Malandrines Team  -  DiosdelaRed.Com - RemoteExecution ] [ Dedalo - Maztor ]
|受影响的产品
Joomla com_estateagent 0
|参考资料

来源:XF
名称:comestateagent-index-sql-injection(70444)
链接:http://xforce.iss.net/xforce/xfdb/70444
来源:BID
名称:50024
链接:http://www.securityfocus.com/bid/50024
来源:packetstormsecurity.org
链接:http://packetstormsecurity.org/files/view/105618/joomlaestateagent-sql.txt