Joomla EXP Auto 4.2.3 SQL Injection

2018-01-03T00:00:00
ID PACKETSTORM:145629
Type packetstorm
Reporter Bilal Kardadou
Modified 2018-01-03T00:00:00

Description

                                        
                                            `################################################  
#Title: Joomla EXP Auto 4.2.3 - SQL Injection  
#Credit: Bilal KARDADOU  
#Vendor: http://www.feellove.eu/  
#URL:  
https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/exp-auto/  
#Product: 'Joomla EXP Auto 4.2.3'  
#Developer: Grusha  
#Extension type: Plugin  
#Last updated: Aug 10 2017  
#Compatibility: 3.X  
#Type: Paid download  
#Google Dork: N/A  
################################################  
#  
# Description:  
# EXP Autos - it's the only component that when you change categories,  
changes Makes,Models,Bodytypes,Equipments etc.  
# For example you are selling cars and trucks, cars and trucks have  
different Makes (funny to see in trucks Aston Martin, Audi etc.), different  
Models, different Bodytype(funny to see in trucks - sedan etc.), different  
Equipments etc.  
#  
# --Method=GET -p [expid]  
#  
# -u "  
http://127.0.0.1/joomla/en/vehicles/passenger-cars/used-cars-makes/index.php?option=com_expautospro&view=expmake&format=ajax&tmpl=component&task=expshortlist&expval=1&expid=210[SQLI]&lang=en  
"  
# PoC:  
# https://prnt.sc/hvkh7d  
# https://prnt.sc/hvkhf7  
#  
# Bilal KARDADOU - https://www.linkedin.com/in/kardadou/)  
################################################  
`