Skip to main content


Showing posts from October, 2017 | SQL Injection, file/shell upload, system compromise

Joomla com_fabrik vulnerabilities

raise the error related to sql injection


Upload vulnerability

path (leaked from the errors)

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore

Poste italiane - Affrancatrice Polivalente PT100SV (Elettronica Meccanica Sistemi S.P.A.) - manuale per l'operatore

Manuale Software PT100SV Release A8C6

Qui il download del manuale

gigapeta.com |path disclosure, xss, sql injections, shell upload

We can start to detect the version manually (automated tools, like joomscan, are giving random values) from

libraries/joomla/crypt/index.html is missing, so it's probably before Joomla! 1.5.26.
components/com_mailto/helpers/index.html is missing, so it's probably before Joomla! 1.5.23.

(Tip: I just used files and folder comparison with beyond compare, but you can also use Meld on linux)

To get the path we try to raise errors with wrong sql queries. In this case we are abusing of the weblinks component and adding the filter_order even if the site uses SEF urls (who cares).

to get an output like this:
No valid database connection Unknown column '0' in 'order clause' SQL=SELECT * FROM jos_weblinks WHERE catid = 53 AND p… | path disclosure, xss, sql injections, shell upload, system compromise
The website uses phpnuke with some customizations (sometimes it detects that we are trying to abuse of specific bugs)

we can find the path from the Deprecated notices in various modules

Deprecated: Function ereg() is deprecated in /var/www/html/copus/home/copus/modules/Stories_Archive/index.php on line 25

register_globals seems to be On and the variables can be replaced by using post/get requests.

Supposed version <=PHP-Nuke-6.9 since banners.php exists

In banners.php we have

switch($op) { ... }

By using, for example, this url:[Sqlinjection]&pass=abc
the sql is executed and we can dump the data instead of the banners

File via sql'… | XSS[XSS]&btnSubmit=Cerca


archived with sample javascript text: | xss

Path can be seen in the 404 error pages


and we can place any video in the content


shortened url:
archived url: | xss - system compromise is usually sending spam emails.

There's a fake unsubscribe script that reports the removal of anything, even if you add a simple xss.'xss');%3C/


The mail server can be exploited with an old remote exploit for postfix on debian linux. (shellshock)