Joomla Event Booking 2.10.1 SQL Injection

2016.09.27

Credit: Persian Hack Team

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

######################
# Exploit Title : Joomla Event Booking Component - SQL Injection
# Exploit Author : Persian Hack Team
# Homepage : http://persian-team.ir
# Vendor Homepage : http://extensions.joomla.org/extension/event-booking
# Category [ Webapps ]
# Tested on [ Win ]
# Version : 2.10.1
# Date 2016/09/25
######################
#
# PoC
# => Sql Injection :
# Date Parameter Vulnerable To SQL
# Demo :
# http://www.site.com/index.php?option=com_eventbooking&view=calendar&layout=weekly&date={SQL}&Itemid=354
#
# Video : http://persian-team.ir/showthread.php?tid=160&pid=291
######################
# Discovered by : Mojtaba MobhaM
# B3li3v3 M3 I will n3v3r St0p
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
######################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Event Booking 2.10.1 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.