Joomla Spider Form Maker 3.4 SQL Injection

2014-09-12T00:00:00
ID PACKETSTORM:128239
Type packetstorm
Reporter Claudio Viviani
Modified 2014-09-12T00:00:00

Description

                                        
                                            `######################  
  
# Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection  
  
# Exploit Author : Claudio Viviani  
  
# Vendor Homepage : http://web-dorado.com/  
  
# Software Link : http://web-dorado.com/products/joomla-form.html  
  
# Dork Google: inurl:com_formmaker  
  
  
# Date : 2014-09-07  
  
# Tested on : Windows 7 / Mozilla Firefox  
# Linux / Mozilla Firefox  
  
######################  
  
# PoC Exploit:  
  
http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]  
  
  
"id" variable is not sanitized.  
  
  
######################  
  
# Vulnerability Disclosure Timeline:  
  
2014-09-07: Discovered vulnerability  
2014-09-09: Vendor Notification  
2014-09-10: Vendor Response/Feedback  
2014-09-10: Vendor Fix/Patch  
2014-09-10: Public Disclosure  
  
#####################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
  
info@homelab.it  
homelabit@protonmail.ch  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
  
#####################`