Joomla! Component com_formmaker 3.4 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Claudio Viviani
  日期： 2014-09-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34637/

• ######################
  
  # Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection
  
  # Exploit Author : Claudio Viviani
  
  # Vendor Homepage : http://web-dorado.com/
  
  # Software Link : http://web-dorado.com/products/joomla-form.html
  
  # Dork Google: inurl:com_formmaker
   
  
  # Date : 2014-09-07
  
  # Tested on : Windows 7 / Mozilla Firefox
  # Linux / Mozilla Firefox
  
  ######################
  
  # PoC Exploit:
  
  http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]
  
  
  "id" variable is not sanitized.
  
  
  ######################
  
  # Vulnerability Disclosure Timeline:
  
  2014-09-07:Discovered vulnerability
  2014-09-09:Vendor Notification
  2014-09-10:Vendor Response/Feedback
  2014-09-10:Vendor Fix/Patch
  2014-09-10:Public Disclosure
  
  #####################
  
  Discovered By : Claudio Viviani
  http://www.homelab.it
  		
  info@homelab.it
  homelabit@protonmail.ch
  
  https://www.facebook.com/homelabit
  https://twitter.com/homelabit
  https://plus.google.com/+HomelabIt1/
  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  
  #####################