Jump to content
  • Revista PROGRAMAR: Já está disponível a edição #60 da revista programar. Faz já o download aqui!

herakty

ALERTA 0-Day para CMS Joomla

Recommended Posts

herakty

corrigam à mão se tiverem algum Joomla... vão chover ataques pois é tão simples e com as ferramentas de hoje qualquer puto pode apagar uma BD

até os produtos mais usados como o Joomla e que são extensivamente testados e analisados por crackers ainda sofrem destes males...

vejam quanto simples é um exploit para SQL Injection... com esta info e o programa certo qualquer joomla

http://www.example.com/index.php?option=com_manager&view=flight&Itemid=

 

é tudo o que é preciso para que os seguinte programas tomem o controle da BD onde está o joomla

[b]e é 0-Day pois dizem isto:[/b]

[b]Solution:[/b]

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

[b]Joomla! 'com_manager' Component 'Itemid' Parameter SQL Injection Vulnerability[/b]

The 'com_manager' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

com_manager 1.5.3 is vulnerable; other versions may be affected.

http://www.securityfocus.com/bid/39519/discuss

[b]com este ataque e usando algo como, e podes fazer tudo na BD alvo e usando estes programas pode ser qualquer motor de BD:[/b]

[b]SQLMAP[/b] (Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase. )

http://sqlmap.sourceforge.net/features.html

[b]SQLNINJA[/b] SQL Server injection & takeover tool (integrado com MSF)  (Só Microsoft SQL )

http://www.portugal-a-programar.pt/index.php?showtopic=33831

ou o super simples de usar [b]SQLiHelper[/b] 2.7 Injector and Dumper for MYSQL / MSSQL added MSAccess

http://www.portugal-a-programar.pt/index.php?showtopic=33833

teckV

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.