header-logo
Suggest Exploit
vendor:
Joomla Component Store for K2
by:
Ihsan Sencan
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Joomla Component Store for K2
Affected Version From: 3.8.2
Affected Version To: 3.8.2
Patch Exists: NO
Related CWE: N/A
CPE: a:jworkplace:joomla_component_store_for_k2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Win7 x64, Kali Linux x64
2017

Joomla! Component Store for K2 v3.8.2 – SQL Injection

A SQL injection vulnerability exists in Joomla! Component Store for K2 v3.8.2. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can potentially result in the manipulation or disclosure of application data.

Mitigation:

Developers should never construct SQL statements directly from user input. Instead, parameterized statements should be used in order to prevent SQL injection attacks. Additionally, input validation should be performed to ensure that only expected characters are accepted by the application.
Source

Exploit-DB raw data:

# # # # # 
# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2store
# Date: 23.02.2017
# Vendor Homepage: http://jworkplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/
# Demo: http://k2store.jworkplace.com/
# Version: 3.8.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL]
# # # # #

Navigation

Suggest Exploit

Services By CQR