Visitors Google Map Lite 1.0.1 Free mod_visitorsgooglemap Module – SQL Injection

• Exploit Database
• 9 阅读

• 作者： Chip d3 bi0s
  日期： 2010-09-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14952/

• Visitors Google Map Lite 1.0.1 (FREE) (module mod_visitorsgooglemap Remote Sql Injection)
  =========================================================================================
  
  - Discovered by	: Chip D3 Bi0s
  - Email : chipdebios[at]gmail[dot]com
  - Group : LatinHackTeam
  - Date: 2010-09-08
  - Where : From Remote
  
  -------------------------------------------------------------------------------------
  Affected software description
  
  Application : Visitors Google Map Lite 1.0.1 (FREE) (module:mod_visitorsgooglemap) 
  Developer : Serdar Gökkus
  Compatibility : Joomla 1.5 Native
  License : GPLv2 or later
  Date Added: Sunday August 29, 2010 01:14:14
  Download: http://www.comlantis.com/download/doc_download/2-visitors-google-map-lite-101-free.html
  
  I. BACKGROUND
  
  This extension tracks visitors of your site in real time and displays their
  locations in Google Map. It uses three main technologies:
  
  - Map API of Google
  - AJAX
  - IP geolocation API of IPInfoDB
  
  Content of VisitorsGoogeMap Package:
  This extension contains one Joomla Compoment and two Joomla Modules.
  
  com_visitorsgooglemap: This component is responsible for the creation
   database table during installation and remove 
   it clearly in case of uninstallation.
  
  mod_visitorsgooglemap: This module is responsible for the display of
   Google Map in desired module position in your
   template and track the visitors of your Joomla
   page in the map.
  
  mod_visitorsgooglemap_agent: This module is responsible for the updating
   visitors information in the database.
  
  II. DESCRIPTION
  
  Some sql injecton vulnerabilities exist in mod_visitorsgooglemap module .
  
  
  III. ANALYSIS
  
  The bug is in the following files, specifying the lines
  
  /mod_visitorsgooglemap/map_data.php
  
  
  [16] [if ($_GET['action'] == 'listpoints') 
  [17]		{
  [18]			$lastMarkerID = $_GET['lastMarkerID'];
  [19]			ini_set('default_mimetype','text/xml'); // manchmal notwendig
  [20]			header ('Content-Type: text/xml'); // reicht nicht immer
  [21]			echo '<?xml version="1.0" ?>';
  [22]			echo '<xmlresponse>';
  [23]	$database =& JFactory::getDBO(); 
  [24]	$query = "SELECT * FROM #__visitorsgooglemap_location where id > $lastMarkerID order by id";
  
   Explanation:As noted in the line [24] $ lastMarkerID
   nowhere is filtered, which result in a query pede unexpected
  
  
  IV. EXPLOITATION
  
  http://site/path/modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0{sql}
  
  
  
  
  +++++++++++++++++++++++++++++++++++++++
  [!] Produced in South America
  +++++++++++++++++++++++++++++++++++++++