Joomla Event Booking Component - SQL Injection

vendor:

Event Booking

by:

Persian Hack Team

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Event Booking

Affected Version From: 2.10.1

Affected Version To: 2.10.1

Patch Exists: N/A

Related CWE: N/A

CPE: a:joomla:event_booking

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2016

Joomla Event Booking Component – SQL Injection

The Joomla Event Booking Component is vulnerable to SQL Injection. The date parameter is vulnerable to SQL injection. An attacker can inject malicious SQL queries into the vulnerable parameter and gain access to the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

######################
# Exploit Title : Joomla Event Booking Component - SQL Injection
# Exploit Author :  Persian Hack Team
# Homepage : http://persian-team.ir
# Vendor Homepage : http://extensions.joomla.org/extension/event-booking
# Category [ Webapps ]
# Tested on [ Win ]
# Version : 2.10.1
# Date 2016/09/25
######################
#
# PoC
#    => Sql Injection :
# Date Parameter Vulnerable To SQL
# Demo :
# http://server/index.php?option=com_eventbooking&view=calendar&layout=weekly&date={SQL}&Itemid=354
#
# Video : http://persian-team.ir/showthread.php?tid=160&pid=291
######################
# Discovered by :  Mojtaba MobhaM 
# B3li3v3 M3 I will n3v3r St0p
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi &  Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
######################