tag:blogger.com,1999:blog-55130334391239097852012-02-15T22:35:18.684-08:00sebuah kejahatan tanpa "sebab", Ketika Hidup sudah Mengembara,, hanya ada satu Keyakinan yang Terdalam. Kesetiaan Menemaniku dalam Nyata. terlelap dalam melafalkan nama. .Allah Hu Akbar.....!!vendetanoreply@blogger.comBlogger11100tag:blogger.com,1999:blog-5513033439123909785.post-63539367521865024302010-01-22T01:00:00.000-08:002010-01-22T01:02:58.303-08:00---------------------------------------------------------------------------------<br />joomla component com_jinc (newsid) Blind SQL Injection Vulnerability<br />---------------------------------------------------------------------------------<br /><br />Author : Chip D3 Bi0s<br />Group : LatiHackTeam<br />Email : chipdebios[alt+64]gmail.com<br />Date : 21 September 2009<br />Critical Lvl : Moderate<br />Impact : Exposure of sensitive information<br />Where : From Remote<br />---------------------------------------------------------------------------<br /><span class="fullpost"><br />Affected software description:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Application : JINC (Joomla! Integrated Newsletters Component)<br />version : 0.2<br />Developer : lhacky<br />License : GPL type : Non-Commercial<br />Date Added : 2 September 2009<br />Demo : http://www.lhacky.org/jextensions/index.php?option=com_content&view=article&id=18:how-to-use&catid=12:jinc-documentation&Itemid=28<br /><br />Download : http://www.lhacky.org/jextensions/index.php?option=com_content&view=article&id=3&Itemid=15<br /><br />Description :<br /><br />JINC (Joomla! Integrated Newsletters Component) is a easy-to-use and administer newsletter component for Joomla!.<br />Using JINC your website users can auto-subscribe and unsubscribe to newsletters you defined.<br /><br />JINC includes classical newsletter functionalities<br /><br />* Newsletter, messages and subscription management.<br />* TAG substitution inside the messages body.<br />* User auto-registration with welcome message at subscription time.<br />* Newsletter Disclaimer.<br />* HTML and Text Plain messages.<br />* Massive or personalized messages.<br />* Reports on message sending.<br />* Subscription creating user "on the fly".<br />* Message preview to message creator before sending to the newsletter subscribers<br /><br /><br />---------------------------------------------------------------------------<br /><br /><br />I.Blind SQL injection (newsid) Poc/Exploit:<br />~~~~~~~~~<br />http://127.0.0.1/[path]/index.php?option=com_jinc&view=messages&newsid=1[blind]<br /><br /><br />To make, you must be registered<br /><br />+++++++++++++++++++++++++++++++++++++++<br />[!] Produced in South America<br />+++++++++++++++++++++++++++++++++++++++<br /><br />sumber milw0rm.com [2009-09-21]<br /> </span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5513033439123909785-6353936752186502430?l=vevendeta.blogspot.com' alt='' /></div>vendetanoreply@blogger.com0